From bcb96c1f47c12d5aee117866ef5bbf1eb4489fae Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Tue, 16 Nov 2021 04:14:18 +0000 Subject: [PATCH 1/6] Update Sophos pipelines for new fields --- .../_dev/deploy/docker/docker-compose.yml | 8 +- packages/sophos/changelog.yml | 5 + ....log-config.yml => test-common-config.yml} | 0 .../pipeline/test-sophos-xg.log-expected.json | 6 +- .../test/pipeline/test-xg-cfilter-new.log | 50 + .../test-xg-cfilter-new.log-expected.json | 5860 ++++++++++++++++ .../_dev/test/pipeline/test-xg-event-new.log | 3 + .../test-xg-event-new.log-expected.json | 172 + .../test/pipeline/test-xg-firewall-new.log | 50 + .../test-xg-firewall-new.log-expected.json | 6218 +++++++++++++++++ .../ingest_pipeline/antispam.yml | 36 - .../ingest_pipeline/antivirus.yml | 38 - .../elasticsearch/ingest_pipeline/cfilter.yml | 29 +- .../elasticsearch/ingest_pipeline/default.yml | 84 +- .../elasticsearch/ingest_pipeline/event.yml | 38 - .../ingest_pipeline/firewall.yml | 107 +- packages/sophos/data_stream/xg/fields/ecs.yml | 4 + .../sophos/data_stream/xg/fields/fields.yml | 84 + packages/sophos/docs/README.md | 22 + packages/sophos/manifest.yml | 2 +- 20 files changed, 12615 insertions(+), 201 deletions(-) rename packages/sophos/data_stream/xg/_dev/test/pipeline/{test-sophos-xg.log-config.yml => test-common-config.yml} (100%) create mode 100644 packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log create mode 100644 packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json create mode 100644 packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log create mode 100644 packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json create mode 100644 packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log create mode 100644 packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json diff --git a/packages/sophos/_dev/deploy/docker/docker-compose.yml b/packages/sophos/_dev/deploy/docker/docker-compose.yml index df715ab5c66..2162572ef10 100644 --- a/packages/sophos/_dev/deploy/docker/docker-compose.yml +++ b/packages/sophos/_dev/deploy/docker/docker-compose.yml @@ -7,25 +7,25 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" sophos-utm-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=udp /sample_logs/sophos-utm-*.log" sophos-utm-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=tcp /sample_logs/sophos-utm-*.log" sophos-xg-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=udp /sample_logs/sophos-xg*.log" sophos-xg-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index d478911f6df..9060e3741f8 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Update pipelines to parse new fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2163 - version: "1.2.1" changes: - description: Add missing ingest pipeline for "System Health" logs diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-config.yml b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml similarity index 100% rename from packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-config.yml rename to packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index e03c8cdf06d..a0320d31828 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -6100,9 +6100,10 @@ "level": "informational" }, "network": { + "transport": "tcp", "bytes": 3534, "packets": 12, - "transport": "tcp" + "direction": "internal" }, "observer": { "egress": { @@ -6114,7 +6115,8 @@ "ingress": { "interface": { "name": "ipsec0" - } + }, + "zone": "VPN" }, "product": "XG", "serial_number": "1234567890123457", diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log new file mode 100644 index 00000000000..0d16167e4f8 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log @@ -0,0 +1,50 @@ +Nov 16 00:28:48 sophos device_name="SFW" timestamp="2021-11-15T18:28:48-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" app_filter_policy_id=6 app_name="Torrent Clients P2P" app_risk=5 app_technology="P2P" app_category="P2P" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="UDP" src_port=44740 dst_port=22083 app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" +Nov 16 00:28:51 sophos device_name="SFW" timestamp="2021-11-15T18:28:51-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain="hls14.asiancdn.net" http_status="0" con_id=173026752 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:28:57 sophos device_name="SFW" timestamp="2021-11-15T18:28:57-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain="hls14.asiancdn.net" http_status="0" con_id=2694936768 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:03 sophos device_name="SFW" timestamp="2021-11-15T18:29:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain="hls14.asiancdn.net" http_status="0" con_id=2564230592 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:06 sophos device_name="SFW" timestamp="2021-11-15T18:29:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="18.179.124.174" protocol="TCP" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=2617088192 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:29:07 sophos device_name="SFW" timestamp="2021-11-15T18:29:07-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://array611.prod.do.dsp.mp.microsoft.com" src_ip="192.168.2.110" dst_ip="20.54.24.79" protocol="TCP" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain="array611.prod.do.dsp.mp.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2916030976 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="IRL" +Nov 16 00:29:11 sophos device_name="SFW" timestamp="2021-11-15T18:29:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain="hls14.asiancdn.net" http_status="0" con_id=2564227072 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:16 sophos device_name="SFW" timestamp="2021-11-15T18:29:16-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet&bodyId=tsn%3A846001190AE52F2" content_type="application/json" src_ip="192.168.2.131" dst_ip="208.73.181.98" protocol="TCP" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain="208.73.181.98" http_user_agent="TvHttpClient" http_status="200" con_id=3159010752 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:20 sophos device_name="SFW" timestamp="2021-11-15T18:29:20-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Chat" http_category_type="Unproductive" url="https://mtalk.google.com" src_ip="192.168.2.162" dst_ip="142.250.113.188" protocol="TCP" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain="mtalk.google.com" http_status="0" con_id=172826048 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:21 sophos device_name="SFW" timestamp="2021-11-15T18:29:21-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://204.176.49.2/tivo-service/mercury.cgi" content_type="text/plain" src_ip="192.168.2.131" dst_ip="204.176.49.2" protocol="TCP" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain="204.176.49.2" http_status="200" con_id=175812032 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:22 sophos device_name="SFW" timestamp="2021-11-15T18:29:22-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://208.73.181.202/tivo-service/mlog.cgi?gzip" content_type="text/plain" src_ip="192.168.2.131" dst_ip="208.73.181.202" protocol="TCP" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain="208.73.181.202" http_status="200" con_id=175808832 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:22 sophos device_name="SFW" timestamp="2021-11-15T18:29:22-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain="hls14.asiancdn.net" http_status="0" con_id=2719000448 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:23 sophos device_name="SFW" timestamp="2021-11-15T18:29:23-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Information Technology" http_category_type="Acceptable" url="https://alive.github.com" src_ip="192.168.2.41" dst_ip="140.82.113.26" protocol="TCP" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain="alive.github.com" http_status="0" con_id=2721561088 app_name="GitHub" app_is_cloud="TRUE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" app_risk=1 app_category="Storage and Backup" +Nov 16 00:29:26 sophos device_name="SFW" timestamp="2021-11-15T18:29:26-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" web_policy_id=4 http_category="IPAddress" http_category_type="Acceptable" url="https://192.168.2.90" src_ip="192.168.3.36" dst_ip="192.168.2.90" protocol="TCP" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain="192.168.2.90" http_status="0" con_id=175809792 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" src_country="R1" dst_country="R1" +Nov 16 00:29:28 sophos device_name="SFW" timestamp="2021-11-15T18:29:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Information Technology" http_category_type="Acceptable" url="https://tpcf.feedify.net" src_ip="192.168.2.41" dst_ip="205.185.216.10" protocol="TCP" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain="tpcf.feedify.net" http_status="0" con_id=2685143552 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:28 sophos device_name="SFW" timestamp="2021-11-15T18:29:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain="hls14.asiancdn.net" http_status="0" con_id=173140160 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:32 sophos device_name="SFW" timestamp="2021-11-15T18:29:32-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="https://logsink.devices.nest.com" src_ip="192.168.2.109" dst_ip="35.190.54.210" protocol="TCP" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain="logsink.devices.nest.com" http_status="0" con_id=3159009472 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:33 sophos device_name="SFW" timestamp="2021-11-15T18:29:33-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" app_filter_policy_id=6 app_name="Torrent Clients P2P" app_risk=5 app_technology="P2P" app_category="P2P" src_ip="192.168.2.32" src_country="R1" dst_ip="23.111.157.86" dst_country="USA" protocol="UDP" src_port=44740 dst_port=4000 app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" +Nov 16 00:29:36 sophos device_name="SFW" timestamp="2021-11-15T18:29:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="54.249.34.55" protocol="TCP" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=3729897664 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:29:39 sophos device_name="SFW" timestamp="2021-11-15T18:29:39-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://api.smartthings.com" src_ip="192.168.2.102" dst_ip="3.21.120.95" protocol="TCP" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain="api.smartthings.com" http_status="0" con_id=3729897984 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="http://connectivitycheck.gstatic.com/generate_204" src_ip="192.168.2.105" dst_ip="142.250.114.94" protocol="TCP" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain="connectivitycheck.gstatic.com" http_user_agent="Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094" http_status="204" con_id=407760320 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="http://connectivitycheck.gstatic.com/generate_204" src_ip="192.168.2.123" dst_ip="142.250.191.227" protocol="TCP" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain="connectivitycheck.gstatic.com" http_user_agent="Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000" http_status="204" con_id=3019156928 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Business Networking" http_category_type="Acceptable" url="https://realtime.www.linkedin.com" src_ip="192.168.2.41" dst_ip="13.107.42.14" protocol="TCP" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain="realtime.www.linkedin.com" http_status="0" con_id=172822528 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:42 sophos device_name="SFW" timestamp="2021-11-15T18:29:42-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="8" web_policy_id=4 http_category="Information Technology" http_category_type="Acceptable" url="http://checkip.dyndns.org/" content_type="text/html" src_ip="192.168.3.36" dst_ip="132.226.247.73" protocol="TCP" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain="checkip.dyndns.org" http_user_agent="ddclient/3.9.1" http_status="200" con_id=154693632 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="BRA" +Nov 16 00:29:43 sophos device_name="SFW" timestamp="2021-11-15T18:29:43-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain="hls14.asiancdn.net" http_status="0" con_id=407384704 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:43 sophos device_name="SFW" timestamp="2021-11-15T18:29:43-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Shopping" http_category_type="Unproductive" url="https://device-metrics-us-2.amazon.com" src_ip="192.168.2.106" dst_ip="54.157.203.98" protocol="TCP" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain="device-metrics-us-2.amazon.com" http_status="0" con_id=3019356672 app_name="Amazon Shopping" app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" app_risk=2 app_category="General Internet" +Nov 16 00:29:44 sophos device_name="SFW" timestamp="2021-11-15T18:29:44-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://settings-win.data.microsoft.com" src_ip="192.168.2.32" dst_ip="52.183.220.149" protocol="TCP" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain="settings-win.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=3159007232 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:47 sophos device_name="SFW" timestamp="2021-11-15T18:29:47-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://clientservices.googleapis.com" src_ip="192.168.2.156" dst_ip="142.251.40.67" protocol="TCP" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain="clientservices.googleapis.com" http_status="0" con_id=2432150656 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:47 sophos device_name="SFW" timestamp="2021-11-15T18:29:47-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" web_policy_id=4 http_category="IPAddress" http_category_type="Acceptable" url="https://192.168.2.90" src_ip="192.168.3.36" dst_ip="192.168.2.90" protocol="TCP" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain="192.168.2.90" http_status="0" con_id=2721559808 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" src_country="R1" dst_country="R1" +Nov 16 00:29:56 sophos device_name="SFW" timestamp="2021-11-15T18:29:56-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Entertainment" http_category_type="Unproductive" url="https://api.thetake.com" src_ip="192.168.2.143" dst_ip="104.22.76.177" protocol="TCP" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain="api.thetake.com" http_status="0" con_id=2685144512 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" +Nov 16 00:29:57 sophos device_name="SFW" timestamp="2021-11-15T18:29:57-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://tools.google.com" src_ip="192.168.2.105" dst_ip="142.251.32.174" protocol="TCP" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain="tools.google.com" http_status="0" con_id=151870592 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:00 sophos device_name="SFW" timestamp="2021-11-15T18:30:00-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain="hls14.asiancdn.net" http_status="0" con_id=3019355392 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:01 sophos device_name="SFW" timestamp="2021-11-15T18:30:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://edge.microsoft.com" src_ip="192.168.2.107" dst_ip="204.79.197.219" protocol="TCP" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain="edge.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2689611008 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:02 sophos device_name="SFW" timestamp="2021-11-15T18:30:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Search Engines" http_category_type="Acceptable" url="https://clients4.google.com" src_ip="192.168.2.139" dst_ip="142.251.45.78" protocol="TCP" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain="clients4.google.com" http_status="0" con_id=2432148096 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:03 sophos device_name="SFW" timestamp="2021-11-15T18:30:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://settings-win.data.microsoft.com" src_ip="192.168.2.107" dst_ip="52.183.220.149" protocol="TCP" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain="settings-win.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=173138560 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:06 sophos device_name="SFW" timestamp="2021-11-15T18:30:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="54.249.34.55" protocol="TCP" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=2841967104 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:30:11 sophos device_name="SFW" timestamp="2021-11-15T18:30:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Games" http_category_type="Unproductive" url="https://catalog.gamepass.com" src_ip="192.168.2.110" dst_ip="23.218.232.189" protocol="TCP" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain="catalog.gamepass.com" http_status="0" con_id=2685088704 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:16 sophos device_name="SFW" timestamp="2021-11-15T18:30:16-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Search Engines" http_category_type="Acceptable" url="https://clients4.google.com" src_ip="192.168.2.105" dst_ip="142.251.45.78" protocol="TCP" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain="clients4.google.com" http_status="0" con_id=3017219520 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://www.googleapis.com" src_ip="192.168.2.126" dst_ip="142.251.32.170" protocol="TCP" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain="www.googleapis.com" http_status="0" con_id=154695872 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://play.googleapis.com" src_ip="192.168.2.126" dst_ip="172.217.14.170" protocol="TCP" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain="play.googleapis.com" http_status="0" con_id=2169324160 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://android.googleapis.com" src_ip="192.168.2.126" dst_ip="142.251.45.74" protocol="TCP" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain="android.googleapis.com" http_status="0" con_id=173141120 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:27 sophos device_name="SFW" timestamp="2021-11-15T18:30:27-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Chat" http_category_type="Unproductive" url="https://discord.com" src_ip="192.168.2.156" dst_ip="162.159.136.232" protocol="TCP" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain="discord.com" http_status="0" con_id=3732575808 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" +Nov 16 00:30:28 sophos device_name="SFW" timestamp="2021-11-15T18:30:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet&bodyId=tsn%3A846001190AE52F2" content_type="application/json" src_ip="192.168.2.131" dst_ip="208.73.181.98" protocol="TCP" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain="208.73.181.98" http_user_agent="TvHttpClient" http_status="200" con_id=999028608 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:28 sophos device_name="SFW" timestamp="2021-11-15T18:30:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="General Business" http_category_type="Acceptable" url="https://backend-ssp.adstudio.cloud" src_ip="192.168.2.41" dst_ip="8.2.110.235" protocol="TCP" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain="backend-ssp.adstudio.cloud" http_status="0" con_id=175214016 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:30 sophos device_name="SFW" timestamp="2021-11-15T18:30:30-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://android.googleapis.com" src_ip="192.168.2.126" dst_ip="142.251.45.74" protocol="TCP" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain="android.googleapis.com" http_status="0" con_id=3732577728 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:30 sophos device_name="SFW" timestamp="2021-11-15T18:30:30-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain="hls14.asiancdn.net" http_status="0" con_id=173138880 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:33 sophos device_name="SFW" timestamp="2021-11-15T18:30:33-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://vortex.data.microsoft.com" src_ip="192.168.2.119" dst_ip="64.4.54.254" protocol="TCP" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain="vortex.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2564229952 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:36 sophos device_name="SFW" timestamp="2021-11-15T18:30:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="35.74.7.193" protocol="TCP" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=3159008512 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:30:36 sophos device_name="SFW" timestamp="2021-11-15T18:30:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Advertisements" http_category_type="Unproductive" url="https://us-trc-events.taboola.com" src_ip="192.168.2.41" dst_ip="141.226.224.48" protocol="TCP" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain="us-trc-events.taboola.com" http_status="0" con_id=999027328 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:38 sophos device_name="SFW" timestamp="2021-11-15T18:30:38-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://deviceintegritytokens-pa.googleapis.com" src_ip="192.168.2.126" dst_ip="142.251.32.138" protocol="TCP" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain="deviceintegritytokens-pa.googleapis.com" http_status="0" con_id=408293376 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json new file mode 100644 index 00000000000..049f927da81 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json @@ -0,0 +1,5860 @@ +{ + "expected": [ + { + "server": { + "port": 22083, + "ip": "192.168.1.15" + }, + "log": { + "level": "Information" + }, + "destination": { + "port": 22083, + "ip": "192.168.1.15" + }, + "source": { + "port": 44740, + "ip": "192.168.2.32" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T00:28:48.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "192.168.1.15" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "Application", + "device_model": "SFVH", + "log_subtype": "Denied", + "message_id": "17051", + "app_is_cloud": "FALSE", + "app_technology": "P2P", + "app_name": "Torrent Clients P2P", + "device_name": "SFW", + "log_type": "Content Filtering", + "app_risk": "5", + "app_resolved_by": "Signature", + "qualifier": "New", + "app_category": "P2P", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 44740, + "ip": "192.168.2.32" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192951025Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:48-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"UDP\" src_port=44740 dst_port=22083 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", + "code": "054402617051", + "kind": "alert", + "action": "denied", + "category": [ + "malware", + "network" + ], + "type": [ + "info", + "denied", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2856085, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 2856085, + "ip": "45.57.227.202" + }, + "source": { + "port": 50931, + "bytes": 19591, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:28:51.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "173026752", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50931, + "bytes": 19591, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192955721Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:51-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173026752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 1708430, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 1708430, + "ip": "45.57.227.202" + }, + "source": { + "port": 50932, + "bytes": 12138, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:28:57.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2694936768", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50932, + "bytes": 12138, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192957824Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2694936768 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2608205, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 2608205, + "ip": "45.57.227.202" + }, + "source": { + "port": 50933, + "bytes": 15419, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:03.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2564230592", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50933, + "bytes": 15419, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192959732Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564230592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 249, + "ip": "18.179.124.174" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "JP-13", + "city_name": "Tokyo", + "country_iso_code": "JP", + "country_name": "Japan", + "region_name": "Tokyo", + "location": { + "lon": 139.7532, + "lat": 35.6882 + } + }, + "as": { + "number": 16509, + "organization": { + "name": "Amazon.com, Inc." + } + }, + "port": 80, + "bytes": 249, + "ip": "18.179.124.174" + }, + "source": { + "port": 54640, + "bytes": 77, + "ip": "192.168.2.112" + }, + "url": { + "path": "/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "scheme": "http", + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:06.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "18.179.124.174" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2617088192", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "application/octet-stream", + "used_quota": "0", + "http_category": "General Business", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 54640, + "bytes": 77, + "ip": "192.168.2.112" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192961611Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"18.179.124.174\" protocol=\"TCP\" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2617088192 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 3511, + "ip": "20.54.24.79" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "port": 443, + "bytes": 3511, + "ip": "20.54.24.79" + }, + "source": { + "port": 53392, + "bytes": 2128, + "ip": "192.168.2.110" + }, + "url": { + "path": "", + "original": "https://array611.prod.do.dsp.mp.microsoft.com", + "scheme": "https", + "domain": "array611.prod.do.dsp.mp.microsoft.com", + "full": "https://array611.prod.do.dsp.mp.microsoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:07.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.110", + "20.54.24.79" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2916030976", + "message_id": "16001", + "exceptions": "av,https,validation,policy,zero-day protection", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53392, + "bytes": 2128, + "ip": "192.168.2.110" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192963560Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://array611.prod.do.dsp.mp.microsoft.com\" src_ip=\"192.168.2.110\" dst_ip=\"20.54.24.79\" protocol=\"TCP\" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain=\"array611.prod.do.dsp.mp.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2916030976 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"IRL\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2569044, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 2569044, + "ip": "45.57.227.202" + }, + "source": { + "port": 50934, + "bytes": 16674, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:11.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2564227072", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50934, + "bytes": 16674, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192965421Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564227072 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 8089, + "bytes": 307, + "ip": "208.73.181.98" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 10982, + "organization": { + "name": "TiVo, Inc." + } + }, + "port": 8089, + "bytes": 307, + "ip": "208.73.181.98" + }, + "source": { + "port": 40230, + "bytes": 260, + "ip": "192.168.2.131" + }, + "url": { + "path": "/mind/mind42", + "original": "http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "scheme": "http", + "port": 8089, + "domain": "208.73.181.98", + "query": "type=myWanIpAddressGet\u0026bodyId=tsn:846001190AE52F2", + "full": "http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:16.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.131", + "208.73.181.98" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3159010752", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "application/json", + "used_quota": "0", + "http_category": "IPAddress", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 40230, + "bytes": 260, + "ip": "192.168.2.131" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192967305Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"208.73.181.98\" protocol=\"TCP\" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"208.73.181.98\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=3159010752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 33728, + "ip": "142.250.113.188" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 33728, + "ip": "142.250.113.188" + }, + "source": { + "port": 53421, + "bytes": 13804, + "ip": "192.168.2.162" + }, + "url": { + "path": "", + "original": "https://mtalk.google.com", + "scheme": "https", + "domain": "mtalk.google.com", + "full": "https://mtalk.google.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:20.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.162", + "142.250.113.188" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "172826048", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Unproductive", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Online Chat", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53421, + "bytes": 13804, + "ip": "192.168.2.162" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192969295Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:20-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://mtalk.google.com\" src_ip=\"192.168.2.162\" dst_ip=\"142.250.113.188\" protocol=\"TCP\" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain=\"mtalk.google.com\" http_status=\"0\" con_id=172826048 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 136, + "ip": "204.176.49.2" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-CA", + "city_name": "Sunnyvale", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "California", + "location": { + "lon": -122.0351, + "lat": 37.3479 + } + }, + "as": { + "number": 10982, + "organization": { + "name": "TiVo, Inc." + } + }, + "port": 80, + "bytes": 136, + "ip": "204.176.49.2" + }, + "source": { + "port": 33541, + "bytes": 240, + "ip": "192.168.2.131" + }, + "url": { + "path": "/tivo-service/mercury.cgi", + "extension": "cgi", + "original": "http://204.176.49.2/tivo-service/mercury.cgi", + "scheme": "http", + "domain": "204.176.49.2", + "full": "http://204.176.49.2/tivo-service/mercury.cgi" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:21.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.131", + "204.176.49.2" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "175812032", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "text/plain", + "used_quota": "0", + "http_category": "IPAddress", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 33541, + "bytes": 240, + "ip": "192.168.2.131" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192980249Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:21-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://204.176.49.2/tivo-service/mercury.cgi\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"204.176.49.2\" protocol=\"TCP\" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain=\"204.176.49.2\" http_status=\"200\" con_id=175812032 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 123, + "ip": "208.73.181.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 10982, + "organization": { + "name": "TiVo, Inc." + } + }, + "port": 80, + "bytes": 123, + "ip": "208.73.181.202" + }, + "source": { + "port": 46564, + "bytes": 253, + "ip": "192.168.2.131" + }, + "url": { + "path": "/tivo-service/mlog.cgi", + "extension": "cgi", + "original": "http://208.73.181.202/tivo-service/mlog.cgi?gzip", + "scheme": "http", + "domain": "208.73.181.202", + "query": "gzip", + "full": "http://208.73.181.202/tivo-service/mlog.cgi?gzip" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:22.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.131", + "208.73.181.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "175808832", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "text/plain", + "used_quota": "0", + "http_category": "IPAddress", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 46564, + "bytes": 253, + "ip": "192.168.2.131" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192982310Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://208.73.181.202/tivo-service/mlog.cgi?gzip\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"208.73.181.202\" protocol=\"TCP\" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain=\"208.73.181.202\" http_status=\"200\" con_id=175808832 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 1834077, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 1834077, + "ip": "45.57.227.202" + }, + "source": { + "port": 50935, + "bytes": 10131, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:22.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2719000448", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50935, + "bytes": 10131, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192984323Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2719000448 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 11890, + "ip": "140.82.113.26" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 36459, + "organization": { + "name": "GitHub, Inc." + } + }, + "port": 443, + "bytes": 11890, + "ip": "140.82.113.26" + }, + "source": { + "port": 20492, + "bytes": 18152, + "ip": "192.168.2.41" + }, + "url": { + "path": "", + "original": "https://alive.github.com", + "scheme": "https", + "domain": "alive.github.com", + "full": "https://alive.github.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:23.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "140.82.113.26" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "11", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "2721561088", + "message_id": "16001", + "app_is_cloud": "TRUE", + "http_category_type": "Acceptable", + "app_name": "GitHub", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "app_risk": "1", + "app_category": "Storage and Backup", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 20492, + "bytes": 18152, + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192986187Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://alive.github.com\" src_ip=\"192.168.2.41\" dst_ip=\"140.82.113.26\" protocol=\"TCP\" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain=\"alive.github.com\" http_status=\"0\" con_id=2721561088 app_name=\"GitHub\" app_is_cloud=\"TRUE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=1 app_category=\"Storage and Backup\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 8089, + "bytes": 3059, + "ip": "192.168.2.90" + }, + "log": { + "level": "Information" + }, + "destination": { + "port": 8089, + "bytes": 3059, + "ip": "192.168.2.90" + }, + "source": { + "port": 37906, + "bytes": 1361, + "ip": "192.168.3.36" + }, + "url": { + "path": "", + "original": "https://192.168.2.90", + "scheme": "https", + "domain": "192.168.2.90", + "full": "https://192.168.2.90" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "DMZ" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "LAN" + } + }, + "@timestamp": "2021-11-16T00:29:26.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.3.36", + "192.168.2.90" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "16", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "4", + "log_subtype": "Allowed", + "con_id": "175809792", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "IPAddress", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 37906, + "bytes": 1361, + "ip": "192.168.3.36" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192988038Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:26-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain=\"192.168.2.90\" http_status=\"0\" con_id=175809792 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 1556, + "ip": "205.185.216.10" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-AZ", + "city_name": "Phoenix", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Arizona", + "location": { + "lon": -112.0664, + "lat": 33.5065 + } + }, + "as": { + "number": 20446, + "organization": { + "name": "Highwinds Network Group, Inc." + } + }, + "port": 443, + "bytes": 1556, + "ip": "205.185.216.10" + }, + "source": { + "port": 22569, + "bytes": 1752, + "ip": "192.168.2.41" + }, + "url": { + "path": "", + "original": "https://tpcf.feedify.net", + "scheme": "https", + "domain": "tpcf.feedify.net", + "full": "https://tpcf.feedify.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:28.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "205.185.216.10" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "11", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "2685143552", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 22569, + "bytes": 1752, + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192989886Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tpcf.feedify.net\" src_ip=\"192.168.2.41\" dst_ip=\"205.185.216.10\" protocol=\"TCP\" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain=\"tpcf.feedify.net\" http_status=\"0\" con_id=2685143552 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2516804, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 2516804, + "ip": "45.57.227.202" + }, + "source": { + "port": 50936, + "bytes": 12938, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:28.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "173140160", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50936, + "bytes": 12938, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192991739Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173140160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 1259, + "ip": "35.190.54.210" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-CA", + "city_name": "Mountain View", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "California", + "location": { + "lon": -122.0748, + "lat": 37.4043 + } + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 1259, + "ip": "35.190.54.210" + }, + "source": { + "port": 49505, + "bytes": 8057, + "ip": "192.168.2.109" + }, + "url": { + "path": "", + "original": "https://logsink.devices.nest.com", + "scheme": "https", + "domain": "logsink.devices.nest.com", + "full": "https://logsink.devices.nest.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:32.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.109", + "35.190.54.210" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3159009472", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "General Business", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 49505, + "bytes": 8057, + "ip": "192.168.2.109" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192993699Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:32-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://logsink.devices.nest.com\" src_ip=\"192.168.2.109\" dst_ip=\"35.190.54.210\" protocol=\"TCP\" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain=\"logsink.devices.nest.com\" http_status=\"0\" con_id=3159009472 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 4000, + "ip": "23.111.157.86" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-GA", + "city_name": "Atlanta", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Georgia", + "location": { + "lon": -84.3886, + "lat": 33.7553 + } + }, + "as": { + "number": 29802, + "organization": { + "name": "HIVELOCITY, Inc." + } + }, + "port": 4000, + "ip": "23.111.157.86" + }, + "source": { + "port": 44740, + "ip": "192.168.2.32" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T00:29:33.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "23.111.157.86" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "Application", + "device_model": "SFVH", + "log_subtype": "Denied", + "message_id": "17051", + "app_is_cloud": "FALSE", + "app_technology": "P2P", + "app_name": "Torrent Clients P2P", + "device_name": "SFW", + "log_type": "Content Filtering", + "app_risk": "5", + "app_resolved_by": "Signature", + "qualifier": "New", + "app_category": "P2P", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 44740, + "ip": "192.168.2.32" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192995566Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"23.111.157.86\" dst_country=\"USA\" protocol=\"UDP\" src_port=44740 dst_port=4000 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", + "code": "054402617051", + "kind": "alert", + "action": "denied", + "category": [ + "malware", + "network" + ], + "type": [ + "info", + "denied", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 249, + "ip": "54.249.34.55" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "JP-13", + "city_name": "Tokyo", + "country_iso_code": "JP", + "country_name": "Japan", + "region_name": "Tokyo", + "location": { + "lon": 139.7532, + "lat": 35.6882 + } + }, + "as": { + "number": 16509, + "organization": { + "name": "Amazon.com, Inc." + } + }, + "port": 80, + "bytes": 249, + "ip": "54.249.34.55" + }, + "source": { + "port": 39118, + "bytes": 77, + "ip": "192.168.2.112" + }, + "url": { + "path": "/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "scheme": "http", + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:36.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "54.249.34.55" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3729897664", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "application/octet-stream", + "used_quota": "0", + "http_category": "General Business", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 39118, + "bytes": 77, + "ip": "192.168.2.112" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192997444Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"54.249.34.55\" protocol=\"TCP\" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3729897664 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 4092, + "ip": "3.21.120.95" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-WA", + "city_name": "Seattle", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Washington", + "location": { + "lon": -122.3451, + "lat": 47.6348 + } + }, + "port": 443, + "bytes": 4092, + "ip": "3.21.120.95" + }, + "source": { + "port": 49030, + "bytes": 1157, + "ip": "192.168.2.102" + }, + "url": { + "path": "", + "original": "https://api.smartthings.com", + "scheme": "https", + "domain": "api.smartthings.com", + "full": "https://api.smartthings.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:39.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.102", + "3.21.120.95" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3729897984", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 49030, + "bytes": 1157, + "ip": "192.168.2.102" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.192999300Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:39-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://api.smartthings.com\" src_ip=\"192.168.2.102\" dst_ip=\"3.21.120.95\" protocol=\"TCP\" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain=\"api.smartthings.com\" http_status=\"0\" con_id=3729897984 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 83, + "ip": "142.250.114.94" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 80, + "bytes": 83, + "ip": "142.250.114.94" + }, + "source": { + "port": 52457, + "bytes": 474, + "ip": "192.168.2.105" + }, + "url": { + "path": "/generate_204", + "original": "http://connectivitycheck.gstatic.com/generate_204", + "scheme": "http", + "domain": "connectivitycheck.gstatic.com", + "full": "http://connectivitycheck.gstatic.com/generate_204" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:40.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "142.250.114.94" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407760320", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 52457, + "bytes": 474, + "ip": "192.168.2.105" + }, + "http": { + "response": { + "status_code": 204 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193001164Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.105\" dst_ip=\"142.250.114.94\" protocol=\"TCP\" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094\" http_status=\"204\" con_id=407760320 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 83, + "ip": "142.250.191.227" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 80, + "bytes": 83, + "ip": "142.250.191.227" + }, + "source": { + "port": 35596, + "bytes": 310, + "ip": "192.168.2.123" + }, + "url": { + "path": "/generate_204", + "original": "http://connectivitycheck.gstatic.com/generate_204", + "scheme": "http", + "domain": "connectivitycheck.gstatic.com", + "full": "http://connectivitycheck.gstatic.com/generate_204" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:40.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.123", + "142.250.191.227" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3019156928", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 35596, + "bytes": 310, + "ip": "192.168.2.123" + }, + "http": { + "response": { + "status_code": 204 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193003009Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.123\" dst_ip=\"142.250.191.227\" protocol=\"TCP\" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000\" http_status=\"204\" con_id=3019156928 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 6231, + "ip": "13.107.42.14" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 8068, + "organization": { + "name": "Microsoft Corporation" + } + }, + "port": 443, + "bytes": 6231, + "ip": "13.107.42.14" + }, + "source": { + "port": 22465, + "bytes": 2182, + "ip": "192.168.2.41" + }, + "url": { + "path": "", + "original": "https://realtime.www.linkedin.com", + "scheme": "https", + "domain": "realtime.www.linkedin.com", + "full": "https://realtime.www.linkedin.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:40.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "13.107.42.14" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "11", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "172822528", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Business Networking", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 22465, + "bytes": 2182, + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193004875Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Business Networking\" http_category_type=\"Acceptable\" url=\"https://realtime.www.linkedin.com\" src_ip=\"192.168.2.41\" dst_ip=\"13.107.42.14\" protocol=\"TCP\" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain=\"realtime.www.linkedin.com\" http_status=\"0\" con_id=172822528 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 270, + "ip": "132.226.247.73" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "NL-NH", + "city_name": "Amsterdam", + "country_iso_code": "NL", + "country_name": "Netherlands", + "region_name": "North Holland", + "location": { + "lon": 4.9087, + "lat": 52.3534 + } + }, + "as": { + "number": 7160, + "organization": { + "name": "Oracle Corporation" + } + }, + "port": 80, + "bytes": 270, + "ip": "132.226.247.73" + }, + "source": { + "port": 56126, + "bytes": 91, + "ip": "192.168.3.36" + }, + "url": { + "path": "/", + "original": "http://checkip.dyndns.org/", + "scheme": "http", + "domain": "checkip.dyndns.org", + "full": "http://checkip.dyndns.org/" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "DMZ" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:42.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.3.36", + "132.226.247.73" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "8", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "4", + "log_subtype": "Allowed", + "con_id": "154693632", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "text/html", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 56126, + "bytes": 91, + "ip": "192.168.3.36" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193006822Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:42-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"8\" web_policy_id=4 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"http://checkip.dyndns.org/\" content_type=\"text/html\" src_ip=\"192.168.3.36\" dst_ip=\"132.226.247.73\" protocol=\"TCP\" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain=\"checkip.dyndns.org\" http_user_agent=\"ddclient/3.9.1\" http_status=\"200\" con_id=154693632 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"BRA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2569893, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 2569893, + "ip": "45.57.227.202" + }, + "source": { + "port": 50937, + "bytes": 17223, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:43.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407384704", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50937, + "bytes": 17223, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193008689Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=407384704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 5643, + "ip": "54.157.203.98" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "city_name": "Ashburn", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.4728, + "lat": 39.0481 + } + }, + "as": { + "number": 14618, + "organization": { + "name": "Amazon.com, Inc." + } + }, + "port": 443, + "bytes": 5643, + "ip": "54.157.203.98" + }, + "source": { + "port": 63937, + "bytes": 3319, + "ip": "192.168.2.106" + }, + "url": { + "path": "", + "original": "https://device-metrics-us-2.amazon.com", + "scheme": "https", + "domain": "device-metrics-us-2.amazon.com", + "full": "https://device-metrics-us-2.amazon.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:43.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.106", + "54.157.203.98" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3019356672", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Unproductive", + "app_name": "Amazon Shopping", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Online Shopping", + "app_risk": "2", + "app_category": "General Internet", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 63937, + "bytes": 3319, + "ip": "192.168.2.106" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193010554Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Shopping\" http_category_type=\"Unproductive\" url=\"https://device-metrics-us-2.amazon.com\" src_ip=\"192.168.2.106\" dst_ip=\"54.157.203.98\" protocol=\"TCP\" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain=\"device-metrics-us-2.amazon.com\" http_status=\"0\" con_id=3019356672 app_name=\"Amazon Shopping\" app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=2 app_category=\"General Internet\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 4386, + "ip": "52.183.220.149" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-TX", + "city_name": "San Antonio", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Texas", + "location": { + "lon": -98.4935, + "lat": 29.4247 + } + }, + "as": { + "number": 8075, + "organization": { + "name": "Microsoft Corporation" + } + }, + "port": 443, + "bytes": 4386, + "ip": "52.183.220.149" + }, + "source": { + "port": 59357, + "bytes": 2144, + "ip": "192.168.2.32" + }, + "url": { + "path": "", + "original": "https://settings-win.data.microsoft.com", + "scheme": "https", + "domain": "settings-win.data.microsoft.com", + "full": "https://settings-win.data.microsoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:44.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "52.183.220.149" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3159007232", + "message_id": "16001", + "exceptions": "av,https,validation,policy,zero-day protection", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 59357, + "bytes": 2144, + "ip": "192.168.2.32" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193012448Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:44-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.32\" dst_ip=\"52.183.220.149\" protocol=\"TCP\" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=3159007232 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2046, + "ip": "142.251.40.67" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 2046, + "ip": "142.251.40.67" + }, + "source": { + "port": 62996, + "bytes": 1839, + "ip": "192.168.2.156" + }, + "url": { + "path": "", + "original": "https://clientservices.googleapis.com", + "scheme": "https", + "domain": "clientservices.googleapis.com", + "full": "https://clientservices.googleapis.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:47.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.156", + "142.251.40.67" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2432150656", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 62996, + "bytes": 1839, + "ip": "192.168.2.156" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193014285Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://clientservices.googleapis.com\" src_ip=\"192.168.2.156\" dst_ip=\"142.251.40.67\" protocol=\"TCP\" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain=\"clientservices.googleapis.com\" http_status=\"0\" con_id=2432150656 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 8089, + "bytes": 2376, + "ip": "192.168.2.90" + }, + "log": { + "level": "Information" + }, + "destination": { + "port": 8089, + "bytes": 2376, + "ip": "192.168.2.90" + }, + "source": { + "port": 37912, + "bytes": 542, + "ip": "192.168.3.36" + }, + "url": { + "path": "", + "original": "https://192.168.2.90", + "scheme": "https", + "domain": "192.168.2.90", + "full": "https://192.168.2.90" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "DMZ" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "LAN" + } + }, + "@timestamp": "2021-11-16T00:29:47.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.3.36", + "192.168.2.90" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "16", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "4", + "log_subtype": "Allowed", + "con_id": "2721559808", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "IPAddress", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 37912, + "bytes": 542, + "ip": "192.168.3.36" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193016168Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain=\"192.168.2.90\" http_status=\"0\" con_id=2721559808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 6023, + "ip": "104.22.76.177" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 443, + "bytes": 6023, + "ip": "104.22.76.177" + }, + "source": { + "port": 49274, + "bytes": 2680, + "ip": "192.168.2.143" + }, + "url": { + "path": "", + "original": "https://api.thetake.com", + "scheme": "https", + "domain": "api.thetake.com", + "full": "https://api.thetake.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:56.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.143", + "104.22.76.177" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2685144512", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Unproductive", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Entertainment", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 49274, + "bytes": 2680, + "ip": "192.168.2.143" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193018011Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Entertainment\" http_category_type=\"Unproductive\" url=\"https://api.thetake.com\" src_ip=\"192.168.2.143\" dst_ip=\"104.22.76.177\" protocol=\"TCP\" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain=\"api.thetake.com\" http_status=\"0\" con_id=2685144512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 8533, + "ip": "142.251.32.174" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 8533, + "ip": "142.251.32.174" + }, + "source": { + "port": 35672, + "bytes": 1719, + "ip": "192.168.2.105" + }, + "url": { + "path": "", + "original": "https://tools.google.com", + "scheme": "https", + "domain": "tools.google.com", + "full": "https://tools.google.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:29:57.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "142.251.32.174" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "151870592", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 35672, + "bytes": 1719, + "ip": "192.168.2.105" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193019860Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tools.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"142.251.32.174\" protocol=\"TCP\" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain=\"tools.google.com\" http_status=\"0\" con_id=151870592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 4923601, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 4923601, + "ip": "45.57.227.202" + }, + "source": { + "port": 50938, + "bytes": 25597, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:00.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3019355392", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50938, + "bytes": 25597, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193021711Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=3019355392 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 7256, + "ip": "204.79.197.219" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 8068, + "organization": { + "name": "Microsoft Corporation" + } + }, + "port": 443, + "bytes": 7256, + "ip": "204.79.197.219" + }, + "source": { + "port": 53571, + "bytes": 10198, + "ip": "192.168.2.107" + }, + "url": { + "path": "", + "original": "https://edge.microsoft.com", + "scheme": "https", + "domain": "edge.microsoft.com", + "full": "https://edge.microsoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:01.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.107", + "204.79.197.219" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2689611008", + "message_id": "16001", + "exceptions": "av,https,validation,policy,zero-day protection", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53571, + "bytes": 10198, + "ip": "192.168.2.107" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193023555Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://edge.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"204.79.197.219\" protocol=\"TCP\" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain=\"edge.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2689611008 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2128, + "ip": "142.251.45.78" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 2128, + "ip": "142.251.45.78" + }, + "source": { + "port": 49726, + "bytes": 4395, + "ip": "192.168.2.139" + }, + "url": { + "path": "", + "original": "https://clients4.google.com", + "scheme": "https", + "domain": "clients4.google.com", + "full": "https://clients4.google.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:02.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.139", + "142.251.45.78" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2432148096", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Search Engines", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 49726, + "bytes": 4395, + "ip": "192.168.2.139" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193025410Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.139\" dst_ip=\"142.251.45.78\" protocol=\"TCP\" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain=\"clients4.google.com\" http_status=\"0\" con_id=2432148096 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 4408, + "ip": "52.183.220.149" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-TX", + "city_name": "San Antonio", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Texas", + "location": { + "lon": -98.4935, + "lat": 29.4247 + } + }, + "as": { + "number": 8075, + "organization": { + "name": "Microsoft Corporation" + } + }, + "port": 443, + "bytes": 4408, + "ip": "52.183.220.149" + }, + "source": { + "port": 53600, + "bytes": 1697, + "ip": "192.168.2.107" + }, + "url": { + "path": "", + "original": "https://settings-win.data.microsoft.com", + "scheme": "https", + "domain": "settings-win.data.microsoft.com", + "full": "https://settings-win.data.microsoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:03.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.107", + "52.183.220.149" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "173138560", + "message_id": "16001", + "exceptions": "av,https,validation,policy,zero-day protection", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53600, + "bytes": 1697, + "ip": "192.168.2.107" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193027338Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"52.183.220.149\" protocol=\"TCP\" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=173138560 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 249, + "ip": "54.249.34.55" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "JP-13", + "city_name": "Tokyo", + "country_iso_code": "JP", + "country_name": "Japan", + "region_name": "Tokyo", + "location": { + "lon": 139.7532, + "lat": 35.6882 + } + }, + "as": { + "number": 16509, + "organization": { + "name": "Amazon.com, Inc." + } + }, + "port": 80, + "bytes": 249, + "ip": "54.249.34.55" + }, + "source": { + "port": 39119, + "bytes": 77, + "ip": "192.168.2.112" + }, + "url": { + "path": "/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "scheme": "http", + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:06.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "54.249.34.55" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2841967104", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "application/octet-stream", + "used_quota": "0", + "http_category": "General Business", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 39119, + "bytes": 77, + "ip": "192.168.2.112" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193029271Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"54.249.34.55\" protocol=\"TCP\" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2841967104 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 6770, + "ip": "23.218.232.189" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 24835, + "organization": { + "name": "RAYA Telecom - Egypt" + } + }, + "port": 443, + "bytes": 6770, + "ip": "23.218.232.189" + }, + "source": { + "port": 53588, + "bytes": 1030, + "ip": "192.168.2.110" + }, + "url": { + "path": "", + "original": "https://catalog.gamepass.com", + "scheme": "https", + "domain": "catalog.gamepass.com", + "full": "https://catalog.gamepass.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:11.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.110", + "23.218.232.189" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2685088704", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Unproductive", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Games", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53588, + "bytes": 1030, + "ip": "192.168.2.110" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193031105Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Games\" http_category_type=\"Unproductive\" url=\"https://catalog.gamepass.com\" src_ip=\"192.168.2.110\" dst_ip=\"23.218.232.189\" protocol=\"TCP\" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain=\"catalog.gamepass.com\" http_status=\"0\" con_id=2685088704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2848, + "ip": "142.251.45.78" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 2848, + "ip": "142.251.45.78" + }, + "source": { + "port": 52580, + "bytes": 7011, + "ip": "192.168.2.105" + }, + "url": { + "path": "", + "original": "https://clients4.google.com", + "scheme": "https", + "domain": "clients4.google.com", + "full": "https://clients4.google.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:16.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "142.251.45.78" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3017219520", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Search Engines", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 52580, + "bytes": 7011, + "ip": "192.168.2.105" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193032938Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"142.251.45.78\" protocol=\"TCP\" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain=\"clients4.google.com\" http_status=\"0\" con_id=3017219520 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 63488, + "ip": "142.251.32.170" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 63488, + "ip": "142.251.32.170" + }, + "source": { + "port": 53942, + "bytes": 3093, + "ip": "192.168.2.126" + }, + "url": { + "path": "", + "original": "https://www.googleapis.com", + "scheme": "https", + "domain": "www.googleapis.com", + "full": "https://www.googleapis.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:25.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "142.251.32.170" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "154695872", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53942, + "bytes": 3093, + "ip": "192.168.2.126" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193034758Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://www.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"142.251.32.170\" protocol=\"TCP\" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain=\"www.googleapis.com\" http_status=\"0\" con_id=154695872 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 7520, + "ip": "172.217.14.170" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 7520, + "ip": "172.217.14.170" + }, + "source": { + "port": 48938, + "bytes": 22415, + "ip": "192.168.2.126" + }, + "url": { + "path": "", + "original": "https://play.googleapis.com", + "scheme": "https", + "domain": "play.googleapis.com", + "full": "https://play.googleapis.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:25.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "172.217.14.170" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2169324160", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 48938, + "bytes": 22415, + "ip": "192.168.2.126" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193036597Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://play.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"172.217.14.170\" protocol=\"TCP\" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain=\"play.googleapis.com\" http_status=\"0\" con_id=2169324160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 9567, + "ip": "142.251.45.74" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 9567, + "ip": "142.251.45.74" + }, + "source": { + "port": 53450, + "bytes": 9159, + "ip": "192.168.2.126" + }, + "url": { + "path": "", + "original": "https://android.googleapis.com", + "scheme": "https", + "domain": "android.googleapis.com", + "full": "https://android.googleapis.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:25.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "142.251.45.74" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "173141120", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53450, + "bytes": 9159, + "ip": "192.168.2.126" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193038416Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"142.251.45.74\" protocol=\"TCP\" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain=\"android.googleapis.com\" http_status=\"0\" con_id=173141120 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 6253, + "ip": "162.159.136.232" + }, + "log": { + "level": "Information" + }, + "destination": { + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 443, + "bytes": 6253, + "ip": "162.159.136.232" + }, + "source": { + "port": 62998, + "bytes": 925, + "ip": "192.168.2.156" + }, + "url": { + "path": "", + "original": "https://discord.com", + "scheme": "https", + "domain": "discord.com", + "full": "https://discord.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:27.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.156", + "162.159.136.232" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3732575808", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Unproductive", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Online Chat", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 62998, + "bytes": 925, + "ip": "192.168.2.156" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193040261Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:27-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://discord.com\" src_ip=\"192.168.2.156\" dst_ip=\"162.159.136.232\" protocol=\"TCP\" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain=\"discord.com\" http_status=\"0\" con_id=3732575808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 8089, + "bytes": 307, + "ip": "208.73.181.98" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 10982, + "organization": { + "name": "TiVo, Inc." + } + }, + "port": 8089, + "bytes": 307, + "ip": "208.73.181.98" + }, + "source": { + "port": 40233, + "bytes": 260, + "ip": "192.168.2.131" + }, + "url": { + "path": "/mind/mind42", + "original": "http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "scheme": "http", + "port": 8089, + "domain": "208.73.181.98", + "query": "type=myWanIpAddressGet\u0026bodyId=tsn:846001190AE52F2", + "full": "http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:28.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.131", + "208.73.181.98" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "999028608", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "application/json", + "used_quota": "0", + "http_category": "IPAddress", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 40233, + "bytes": 260, + "ip": "192.168.2.131" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193042125Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"208.73.181.98\" protocol=\"TCP\" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"208.73.181.98\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=999028608 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 584, + "ip": "8.2.110.235" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-NJ", + "city_name": "Clifton", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "New Jersey", + "location": { + "lon": -74.1403, + "lat": 40.8364 + } + }, + "as": { + "number": 46636, + "organization": { + "name": "NatCoWeb Corp." + } + }, + "port": 443, + "bytes": 584, + "ip": "8.2.110.235" + }, + "source": { + "port": 22567, + "bytes": 1004, + "ip": "192.168.2.41" + }, + "url": { + "path": "", + "original": "https://backend-ssp.adstudio.cloud", + "scheme": "https", + "domain": "backend-ssp.adstudio.cloud", + "full": "https://backend-ssp.adstudio.cloud" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:28.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "8.2.110.235" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "11", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "175214016", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "General Business", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 22567, + "bytes": 1004, + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193043966Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://backend-ssp.adstudio.cloud\" src_ip=\"192.168.2.41\" dst_ip=\"8.2.110.235\" protocol=\"TCP\" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain=\"backend-ssp.adstudio.cloud\" http_status=\"0\" con_id=175214016 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2607, + "ip": "142.251.45.74" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 2607, + "ip": "142.251.45.74" + }, + "source": { + "port": 53458, + "bytes": 2417, + "ip": "192.168.2.126" + }, + "url": { + "path": "", + "original": "https://android.googleapis.com", + "scheme": "https", + "domain": "android.googleapis.com", + "full": "https://android.googleapis.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:30.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "142.251.45.74" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3732577728", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53458, + "bytes": 2417, + "ip": "192.168.2.126" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193045829Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"142.251.45.74\" protocol=\"TCP\" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain=\"android.googleapis.com\" http_status=\"0\" con_id=3732577728 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 5080099, + "ip": "45.57.227.202" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "CA-ON", + "city_name": "Stoney Creek", + "country_iso_code": "CA", + "country_name": "Canada", + "region_name": "Ontario", + "location": { + "lon": -79.7036, + "lat": 43.2183 + } + }, + "as": { + "number": 55286, + "organization": { + "name": "B2 Net Solutions Inc." + } + }, + "port": 443, + "bytes": 5080099, + "ip": "45.57.227.202" + }, + "source": { + "port": 50939, + "bytes": 36759, + "ip": "192.168.2.111" + }, + "url": { + "path": "", + "original": "https://hls14.asiancdn.net", + "scheme": "https", + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:30.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "45.57.227.202" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "173138880", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Content Delivery", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50939, + "bytes": 36759, + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193047705Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173138880 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 10552, + "ip": "64.4.54.254" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-WY", + "city_name": "Cheyenne", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Wyoming", + "location": { + "lon": -104.8193, + "lat": 41.1399 + } + }, + "as": { + "number": 8075, + "organization": { + "name": "Microsoft Corporation" + } + }, + "port": 443, + "bytes": 10552, + "ip": "64.4.54.254" + }, + "source": { + "port": 59478, + "bytes": 37822, + "ip": "192.168.2.119" + }, + "url": { + "path": "", + "original": "https://vortex.data.microsoft.com", + "scheme": "https", + "domain": "vortex.data.microsoft.com", + "full": "https://vortex.data.microsoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:33.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.119", + "64.4.54.254" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2564229952", + "message_id": "16001", + "exceptions": "av,https,validation,policy,zero-day protection", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 59478, + "bytes": 37822, + "ip": "192.168.2.119" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193049563Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://vortex.data.microsoft.com\" src_ip=\"192.168.2.119\" dst_ip=\"64.4.54.254\" protocol=\"TCP\" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain=\"vortex.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2564229952 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 249, + "ip": "35.74.7.193" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-WA", + "city_name": "Seattle", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Washington", + "location": { + "lon": -122.3451, + "lat": 47.6348 + } + }, + "port": 80, + "bytes": 249, + "ip": "35.74.7.193" + }, + "source": { + "port": 55510, + "bytes": 77, + "ip": "192.168.2.112" + }, + "url": { + "path": "/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "scheme": "http", + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:36.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "35.74.7.193" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3159008512", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "content_type": "application/octet-stream", + "used_quota": "0", + "http_category": "General Business", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 55510, + "bytes": 77, + "ip": "192.168.2.112" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193051407Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"35.74.7.193\" protocol=\"TCP\" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3159008512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 1633, + "ip": "141.226.224.48" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 200478, + "organization": { + "name": "Taboola.com ltd" + } + }, + "port": 443, + "bytes": 1633, + "ip": "141.226.224.48" + }, + "source": { + "port": 22570, + "bytes": 7587, + "ip": "192.168.2.41" + }, + "url": { + "path": "", + "original": "https://us-trc-events.taboola.com", + "scheme": "https", + "domain": "us-trc-events.taboola.com", + "full": "https://us-trc-events.taboola.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:36.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "141.226.224.48" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "11", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "999027328", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Unproductive", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Advertisements", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 22570, + "bytes": 7587, + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193053249Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Advertisements\" http_category_type=\"Unproductive\" url=\"https://us-trc-events.taboola.com\" src_ip=\"192.168.2.41\" dst_ip=\"141.226.224.48\" protocol=\"TCP\" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain=\"us-trc-events.taboola.com\" http_status=\"0\" con_id=999027328 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2901, + "ip": "142.251.32.138" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 2901, + "ip": "142.251.32.138" + }, + "source": { + "port": 50210, + "bytes": 45093, + "ip": "192.168.2.126" + }, + "url": { + "path": "", + "original": "https://deviceintegritytokens-pa.googleapis.com", + "scheme": "https", + "domain": "deviceintegritytokens-pa.googleapis.com", + "full": "https://deviceintegritytokens-pa.googleapis.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:30:38.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "142.251.32.138" + ] + }, + "sophos": { + "xg": { + "fw_rule_id": "12", + "log_component": "HTTP", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "408293376", + "message_id": "16001", + "app_is_cloud": "FALSE", + "http_category_type": "Acceptable", + "device_name": "SFW", + "log_type": "Content Filtering", + "used_quota": "0", + "http_category": "Information Technology", + "log_version": "1" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50210, + "bytes": 45093, + "ip": "192.168.2.126" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:09:54.193055068Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:38-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://deviceintegritytokens-pa.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"142.251.32.138\" protocol=\"TCP\" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain=\"deviceintegritytokens-pa.googleapis.com\" http_status=\"0\" con_id=408293376 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "code": "050901616001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log new file mode 100644 index 00000000000..62250fae0e9 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log @@ -0,0 +1,3 @@ +Nov 16 02:52:23 sophos device_name="SFW" timestamp="2021-11-15T20:52:23-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=063411660020 log_type="Event" log_component="DHCP Server" log_subtype="System" log_version=1 status="Renew" severity="Information" reported_ip="192.168.2.131" src_mac="00:11:d9:a0:19:11" reported_host="TIVO-846001190AE52F2" message="Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11" lease_time="345600" +Nov 16 02:57:56 sophos device_name="SFW" timestamp="2021-11-15T20:57:56-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=063411660020 log_type="Event" log_component="DHCP Server" log_subtype="System" log_version=1 status="Renew" severity="Information" reported_ip="192.168.2.112" src_mac="88:57:1d:2d:FF:db" reported_host="TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK" message="Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db" lease_time="345600" +Nov 16 03:04:08 sophos device_name="SFW" timestamp="2021-11-15T21:04:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=063411660020 log_type="Event" log_component="DHCP Server" log_subtype="System" log_version=1 status="Renew" severity="Information" reported_ip="192.168.2.112" src_mac="88:57:1d:2d:FF:db" reported_host="TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK" message="Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db" lease_time="345600" \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json new file mode 100644 index 00000000000..af8376d4ff0 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json @@ -0,0 +1,172 @@ +{ + "expected": [ + { + "log": { + "level": "Information" + }, + "source": { + "mac": "00:11:d9:a0:19:11" + }, + "message": "Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11", + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T02:52:23.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device_name": "SFW", + "log_type": "Event", + "log_component": "DHCP Server", + "device_model": "SFVH", + "log_subtype": "System", + "lease_time": "345600", + "reported_host": "TIVO-846001190AE52F2", + "reported_ip": "192.168.2.131", + "message_id": "60020", + "log_version": "1", + "status": "Renew" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "00:11:d9:a0:19:11" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:31.287727910Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:52:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.131\" src_mac=\"00:11:d9:a0:19:11\" reported_host=\"TIVO-846001190AE52F2\" message=\"Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11\" lease_time=\"345600\"", + "code": "063411660020", + "kind": "event" + } + }, + { + "log": { + "level": "Information" + }, + "source": { + "mac": "88:57:1d:2d:FF:db" + }, + "message": "Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db", + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T02:57:56.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device_name": "SFW", + "log_type": "Event", + "log_component": "DHCP Server", + "device_model": "SFVH", + "log_subtype": "System", + "lease_time": "345600", + "reported_host": "TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK", + "reported_ip": "192.168.2.112", + "message_id": "60020", + "log_version": "1", + "status": "Renew" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "88:57:1d:2d:FF:db" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:31.287732341Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:57:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", + "code": "063411660020", + "kind": "event" + } + }, + { + "log": { + "level": "Information" + }, + "source": { + "mac": "88:57:1d:2d:FF:db" + }, + "message": "Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db", + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T03:04:08.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device_name": "SFW", + "log_type": "Event", + "log_component": "DHCP Server", + "device_model": "SFVH", + "log_subtype": "System", + "lease_time": "345600", + "reported_host": "TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK", + "reported_ip": "192.168.2.112", + "message_id": "60020", + "log_version": "1", + "status": "Renew" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "88:57:1d:2d:FF:db" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:31.287734163Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T21:04:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", + "code": "063411660020", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log new file mode 100644 index 00000000000..3a36ebead23 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log @@ -0,0 +1,50 @@ +Nov 16 00:25:00 sophos device_name="SFW" timestamp="2021-11-15T18:25:00-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="142.250.114.93" dst_country="USA" protocol="TCP" src_port=50875 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="3153941760" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="A4:FC:77:2E:BD:6F" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.162" src_country="R1" dst_ip="142.251.32.238" dst_country="USA" protocol="TCP" src_port=56257 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151869632" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="TCP" src_port=50876 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2719000128" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=31 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2718999808" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916030336" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=39 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="3153944000" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916028416" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:CD:68" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="TCP" src_port=59346 dst_port=22083 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916031936" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:CD:68" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="TCP" src_port=59347 dst_port=22083 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="172022272" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=36 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="408294336" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916030976" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:04 sophos device_name="SFW" timestamp="2021-11-15T18:25:04-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=35 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="1000195968" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:04 sophos device_name="SFW" timestamp="2021-11-15T18:25:04-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916029696" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=18 fw_rule_id="19" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="2C:AA:8E:2A:5C:23" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.122" src_country="R1" dst_ip="142.250.115.105" dst_country="USA" protocol="TCP" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154390528" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="999027328" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="DNS" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="88:57:1D:2D:19:DB" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.112" src_country="R1" dst_ip="192.168.10.1" dst_country="R1" protocol="UDP" src_port=47944 dst_port=53 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685088064" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="88:57:1D:2D:19:DB" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.112" src_country="R1" dst_ip="35.74.7.193" dst_country="JPN" protocol="TCP" src_port=55499 dst_port=80 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151867392" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151870592" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=16 fw_rule_id="19" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="2C:AA:8E:1D:B6:D9" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.118" src_country="R1" dst_ip="142.250.115.106" dst_country="USA" protocol="TCP" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="172108928" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" nat_rule_id="0" fw_rule_type="USER" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type="Unknown (0x0000)" in_interface="Port3" out_interface="Port1" src_mac="00:50:56:9F:49:13" dst_mac="00:50:56:9F:EF:8A" src_ip="192.168.3.36" src_country="R1" dst_ip="192.168.2.90" dst_country="R1" protocol="TCP" src_port=48524 dst_port=9988 src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" con_event="Start" con_id="2685088384" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port3" out_display_interface="Port1" +Nov 16 00:25:07 sophos device_name="SFW" timestamp="2021-11-15T18:25:07-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="172105728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407386944" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=33 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407384064" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=19 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="Youtube Website" app_risk=3 app_technology="Browser Based" app_category="Streaming Media" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="142.250.114.93" dst_country="USA" protocol="TCP" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154391168" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=35 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2719001728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000196608" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=38 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2719001088" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:B1:FE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.16" src_country="R1" dst_ip="192.168.1.167" dst_country="R1" protocol="TCP" src_port=63043 dst_port=8089 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685089984" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=411 fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name="Secure Socket Layer Protocol" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="104.18.6.10" protocol="TCP" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407759360" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000197248" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=32 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385024" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=30 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154696512" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="154391168" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=32 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385984" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="142.251.40.67" dst_country="USA" protocol="UDP" src_port=59335 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685088704" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=38 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="1000194368" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2694935808" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="54:60:09:FD:33:EC" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.105" src_country="R1" dst_ip="8.8.8.8" dst_country="USA" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000194368" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="142.250.68.131" dst_country="USA" protocol="UDP" src_port=62171 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151868992" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=17 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="Secure Socket Layer Protocol" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="34:C9:3D:23:51:C2" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.110" src_country="R1" dst_ip="23.218.232.189" dst_country="USA" protocol="TCP" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="172106048" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="142.251.33.14" dst_country="USA" protocol="UDP" src_port=52915 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407385024" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407386624" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385344" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="DNS" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="54:60:09:FD:33:EC" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.105" src_country="R1" dst_ip="8.8.8.8" dst_country="USA" protocol="UDP" src_port=34141 dst_port=53 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407385344" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="142.250.113.138" dst_country="USA" protocol="UDP" src_port=51751 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2719001088" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json new file mode 100644 index 00000000000..856e8e4a071 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json @@ -0,0 +1,6218 @@ +{ + "expected": [ + { + "server": { + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.250.114.93" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.250.114.93" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 50875, + "mac": "00:26:37:EE:47:20", + "ip": "192.168.2.111" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:00.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "142.250.114.93", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3153941760", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50875, + "mac": "00:26:37:EE:47:20", + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214134055Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.250.114.93\" dst_country=\"USA\" protocol=\"TCP\" src_port=50875 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"3153941760\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.251.32.238" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.251.32.238" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 56257, + "mac": "A4:FC:77:2E:BD:6F", + "ip": "192.168.2.162" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:01.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.162", + "142.251.32.238", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "151869632", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 56257, + "mac": "A4:FC:77:2E:BD:6F", + "ip": "192.168.2.162" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214138492Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"A4:FC:77:2E:BD:6F\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.162\" src_country=\"R1\" dst_ip=\"142.251.32.238\" dst_country=\"USA\" protocol=\"TCP\" src_port=56257 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151869632\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.251.33.46" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.251.33.46" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 50876, + "mac": "00:26:37:EE:47:20", + "ip": "192.168.2.111" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:01.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "142.251.33.46", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2719000128", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50876, + "mac": "00:26:37:EE:47:20", + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214140583Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"TCP\" src_port=50876 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719000128\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:01.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2718999808", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 31000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214142590Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=31 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2718999808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:01.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:32.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "ip": "142.251.33.46" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "142.251.33.46" + }, + "rule": { + "id": "12" + }, + "source": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + } + }, + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T00:25:01.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "142.251.33.46" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Denied", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00002", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "ether_type": "IPv4 (0x0800)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "0", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214144429Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "code": "010102600002", + "kind": "event", + "action": "denied", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "ip": "142.251.33.46" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "142.251.33.46" + }, + "rule": { + "id": "12" + }, + "source": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + } + }, + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T00:25:01.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "142.251.33.46" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Denied", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00002", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "ether_type": "IPv4 (0x0800)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "0", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214146257Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "code": "010102600002", + "kind": "event", + "action": "denied", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:01.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2916030336", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214148099Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:02.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "3153944000", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 39000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214149941Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=39 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"3153944000\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:02.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:41.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "ip": "142.251.33.46" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "142.251.33.46" + }, + "rule": { + "id": "12" + }, + "source": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + } + }, + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T00:25:02.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "142.251.33.46" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Denied", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00002", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "ether_type": "IPv4 (0x0800)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "0", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214151775Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "code": "010102600002", + "kind": "event", + "action": "denied", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:02.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2916028416", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214153605Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916028416\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 22083, + "mac": "00:50:56:9F:39:33", + "ip": "192.168.1.15" + }, + "log": { + "level": "Information" + }, + "destination": { + "port": 22083, + "mac": "00:50:56:9F:39:33", + "ip": "192.168.1.15" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 59346, + "mac": "00:50:56:9F:CD:68", + "ip": "192.168.2.32" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:03.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "192.168.1.15", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2916031936", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 59346, + "mac": "00:50:56:9F:CD:68", + "ip": "192.168.2.32" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214155439Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59346 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916031936\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 22083, + "mac": "00:50:56:9F:39:33", + "ip": "192.168.1.15" + }, + "log": { + "level": "Information" + }, + "destination": { + "port": 22083, + "mac": "00:50:56:9F:39:33", + "ip": "192.168.1.15" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 59347, + "mac": "00:50:56:9F:CD:68", + "ip": "192.168.2.32" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:03.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "192.168.1.15", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "172022272", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 59347, + "mac": "00:50:56:9F:CD:68", + "ip": "192.168.2.32" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214157377Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59347 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172022272\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "ip": "142.251.33.46" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "142.251.33.46" + }, + "rule": { + "id": "12" + }, + "source": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + } + }, + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T00:25:03.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "142.251.33.46" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Denied", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00002", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "ether_type": "IPv4 (0x0800)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "0", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214159216Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "code": "010102600002", + "kind": "event", + "action": "denied", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:03.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "408294336", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 36000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214161054Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=36 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"408294336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:03.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:39.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:03.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2916030976", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214162899Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:04.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "1000195968", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 35000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214164730Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000195968\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:04.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:39.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:04.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2916029696", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214166630Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916029696\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 112, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "142.250.115.105" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 80, + "bytes": 112, + "ip": "142.250.115.105", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "rule": { + "id": "19" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 41242, + "bytes": 216, + "mac": "2C:AA:8E:2A:5C:23", + "packets": 4, + "ip": "192.168.2.122" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "bytes": 328, + "packets": 6, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:05.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.122", + "142.250.115.105", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "154390528", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "5", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "8" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 41242, + "bytes": 216, + "mac": "2C:AA:8E:2A:5C:23", + "packets": 4, + "ip": "192.168.2.122" + }, + "event": { + "duration": 18000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214168474Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=18 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:2A:5C:23\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.122\" src_country=\"R1\" dst_ip=\"142.250.115.105\" dst_country=\"USA\" protocol=\"TCP\" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154390528\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:05.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:23.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "ip": "142.251.33.46" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "142.251.33.46" + }, + "rule": { + "id": "12" + }, + "source": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + } + }, + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "@timestamp": "2021-11-16T00:25:05.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "142.251.33.46" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Denied", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00002", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "ether_type": "IPv4 (0x0800)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "0", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 61709, + "mac": "00:26:37:ee:47:20", + "ip": "192.168.2.111" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214170343Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "code": "010102600002", + "kind": "event", + "action": "denied", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:05.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "999027328", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 37000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214172168Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"999027328\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:05.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:42.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 53, + "mac": "00:50:56:9F:39:33", + "ip": "192.168.10.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "port": 53, + "mac": "00:50:56:9F:39:33", + "ip": "192.168.10.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 47944, + "mac": "88:57:1D:2D:19:DB", + "ip": "192.168.2.112" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:05.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "192.168.10.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2685088064", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "app_technology": "Network Protocol", + "app_name": "DNS", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_risk": "1", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "app_category": "Infrastructure", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 47944, + "mac": "88:57:1D:2D:19:DB", + "ip": "192.168.2.112" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214174014Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"192.168.10.1\" dst_country=\"R1\" protocol=\"UDP\" src_port=47944 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "mac": "00:50:56:9F:39:33", + "ip": "35.74.7.193" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-WA", + "city_name": "Seattle", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Washington", + "location": { + "lon": -122.3451, + "lat": 47.6348 + } + }, + "port": 80, + "mac": "00:50:56:9F:39:33", + "ip": "35.74.7.193" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 55499, + "mac": "88:57:1D:2D:19:DB", + "ip": "192.168.2.112" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:05.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "35.74.7.193", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "151867392", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 55499, + "mac": "88:57:1D:2D:19:DB", + "ip": "192.168.2.112" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214175852Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"35.74.7.193\" dst_country=\"JPN\" protocol=\"TCP\" src_port=55499 dst_port=80 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151867392\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:05.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "151870592", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214177701Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151870592\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "bytes": 112, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "142.250.115.106" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 80, + "bytes": 112, + "ip": "142.250.115.106", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "rule": { + "id": "19" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 44720, + "bytes": 216, + "mac": "2C:AA:8E:1D:B6:D9", + "packets": 4, + "ip": "192.168.2.118" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "bytes": 328, + "packets": 6, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:06.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.118", + "142.250.115.106", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "172108928", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "5", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "8" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 44720, + "bytes": 216, + "mac": "2C:AA:8E:1D:B6:D9", + "packets": 4, + "ip": "192.168.2.118" + }, + "event": { + "duration": 16000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214179612Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=16 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:1D:B6:D9\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.118\" src_country=\"R1\" dst_ip=\"142.250.115.106\" dst_country=\"USA\" protocol=\"TCP\" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172108928\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:06.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:22.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 9988, + "mac": "00:50:56:9F:EF:8A", + "ip": "192.168.2.90" + }, + "log": { + "level": "Information" + }, + "destination": { + "port": 9988, + "mac": "00:50:56:9F:EF:8A", + "ip": "192.168.2.90" + }, + "rule": { + "id": "16" + }, + "source": { + "port": 48524, + "mac": "00:50:56:9F:49:13", + "ip": "192.168.3.36" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "direction": "internal" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port3" + }, + "zone": "DMZ" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + } + }, + "@timestamp": "2021-11-16T00:25:06.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.3.36", + "192.168.2.90" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "4", + "log_subtype": "Allowed", + "con_id": "2685088384", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "6", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "0", + "log_version": "1", + "app_filter_policy_id": "7" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 48524, + "mac": "00:50:56:9F:49:13", + "ip": "192.168.3.36" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214181429Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type=\"Unknown (0x0000)\" in_interface=\"Port3\" out_interface=\"Port1\" src_mac=\"00:50:56:9F:49:13\" dst_mac=\"00:50:56:9F:EF:8A\" src_ip=\"192.168.3.36\" src_country=\"R1\" dst_ip=\"192.168.2.90\" dst_country=\"R1\" protocol=\"TCP\" src_port=48524 dst_port=9988 src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" con_event=\"Start\" con_id=\"2685088384\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port3\" out_display_interface=\"Port1\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:07.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "172105728", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214183267Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172105728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:08.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407386944", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214185079Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386944\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:08.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407384064", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 33000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214186923Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=33 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407384064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:08.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:41.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 4992, + "mac": "00:50:56:9F:39:33", + "packets": 31, + "ip": "142.250.114.93" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 4992, + "ip": "142.250.114.93", + "mac": "00:50:56:9F:39:33", + "packets": 31 + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 50872, + "bytes": 9718, + "mac": "00:26:37:EE:47:20", + "packets": 31, + "ip": "192.168.2.111" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "bytes": 14710, + "packets": 62, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:08.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "142.250.114.93", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "154391168", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_technology": "Browser Based", + "app_is_cloud": "FALSE", + "app_name": "Youtube Website", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_risk": "3", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "app_category": "Streaming Media", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 50872, + "bytes": 9718, + "mac": "00:26:37:EE:47:20", + "packets": 31, + "ip": "192.168.2.111" + }, + "event": { + "duration": 19000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214188775Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=19 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Youtube Website\" app_risk=3 app_technology=\"Browser Based\" app_category=\"Streaming Media\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.250.114.93\" dst_country=\"USA\" protocol=\"TCP\" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:08.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:27.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:08.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2719001728", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 35000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214190601Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:08.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:43.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:09.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "1000196608", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214192438Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000196608\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:09.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2719001088", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 38000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214194256Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:09.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:47.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 8089, + "mac": "00:50:56:9F:39:33", + "ip": "192.168.1.167" + }, + "log": { + "level": "Information" + }, + "destination": { + "port": 8089, + "mac": "00:50:56:9F:39:33", + "ip": "192.168.1.167" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 63043, + "mac": "00:50:56:9F:B1:FE", + "ip": "192.168.2.16" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:09.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.16", + "192.168.1.167", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2685089984", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 63043, + "mac": "00:50:56:9F:B1:FE", + "ip": "192.168.2.16" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214196095Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:B1:FE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.16\" src_country=\"R1\" dst_ip=\"192.168.1.167\" dst_country=\"R1\" protocol=\"TCP\" src_port=63043 dst_port=8089 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685089984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 2229, + "mac": "00:50:56:9F:39:33", + "packets": 22, + "ip": "104.18.6.10" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 443, + "bytes": 2229, + "ip": "104.18.6.10", + "mac": "00:50:56:9F:39:33", + "packets": 22 + }, + "rule": { + "id": "11" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 21957, + "bytes": 2297, + "mac": "24:4B:FE:DD:C6:CE", + "packets": 20, + "ip": "192.168.2.41" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "bytes": 4526, + "packets": 42, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:09.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "104.18.6.10", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "407759360", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_technology": "Network Protocol", + "app_is_cloud": "FALSE", + "app_name": "Secure Socket Layer Protocol", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_risk": "1", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "9", + "app_category": "Infrastructure", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 21957, + "bytes": 2297, + "mac": "24:4B:FE:DD:C6:CE", + "packets": 20, + "ip": "192.168.2.41" + }, + "event": { + "duration": 411000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214197902Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=411 fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"104.18.6.10\" protocol=\"TCP\" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407759360\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:09.000Z", + "action": "allowed", + "end": "2021-11-16T00:32:00.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:10.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "1000197248", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214199824Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000197248\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:10.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407385024", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 32000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214201658Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:10.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:42.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:10.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "154696512", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 30000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214203497Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=30 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154696512\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:10.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:40.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:11.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "154391168", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214205363Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:11.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407385984", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 32000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214207173Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:11.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:43.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.251.40.67" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.251.40.67" + }, + "rule": { + "id": "11" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 59335, + "mac": "24:4B:FE:DD:C6:CE", + "ip": "192.168.2.41" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:11.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "142.251.40.67", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "2685088704", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "9", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 59335, + "mac": "24:4B:FE:DD:C6:CE", + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214209021Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"142.251.40.67\" dst_country=\"USA\" protocol=\"UDP\" src_port=59335 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088704\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:12.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "1000194368", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 38000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214210860Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:12.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:50.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:12.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "2694935808", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214212685Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2694935808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "8.8.8.8" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "8.8.8.8" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "54:60:09:FD:33:EC", + "ip": "192.168.2.105" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:12.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "8.8.8.8", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "1000194368", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "54:60:09:FD:33:EC", + "ip": "192.168.2.105" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214214565Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"8.8.8.8\" dst_country=\"USA\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.250.68.131" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.250.68.131" + }, + "rule": { + "id": "11" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 62171, + "mac": "24:4B:FE:DD:C6:CE", + "ip": "192.168.2.41" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:12.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "142.250.68.131", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "151868992", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "9", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 62171, + "mac": "24:4B:FE:DD:C6:CE", + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214216380Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"142.250.68.131\" dst_country=\"USA\" protocol=\"UDP\" src_port=62171 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151868992\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "bytes": 6770, + "mac": "00:50:56:9F:39:33", + "packets": 13, + "ip": "23.218.232.189" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 24835, + "organization": { + "name": "RAYA Telecom - Egypt" + } + }, + "port": 443, + "bytes": 6770, + "ip": "23.218.232.189", + "mac": "00:50:56:9F:39:33", + "packets": 13 + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 53271, + "bytes": 1030, + "mac": "34:C9:3D:23:51:C2", + "packets": 11, + "ip": "192.168.2.110" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "bytes": 7800, + "packets": 24, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:12.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.110", + "23.218.232.189", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "172106048", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_technology": "Network Protocol", + "app_is_cloud": "FALSE", + "app_name": "Secure Socket Layer Protocol", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_risk": "1", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "app_category": "Infrastructure", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 53271, + "bytes": 1030, + "mac": "34:C9:3D:23:51:C2", + "packets": 11, + "ip": "192.168.2.110" + }, + "event": { + "duration": 17000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214218210Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=17 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"34:C9:3D:23:51:C2\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.110\" src_country=\"R1\" dst_ip=\"23.218.232.189\" dst_country=\"USA\" protocol=\"TCP\" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172106048\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:12.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:29.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.251.33.14" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.251.33.14" + }, + "rule": { + "id": "11" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 52915, + "mac": "24:4B:FE:DD:C6:CE", + "ip": "192.168.2.41" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:12.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "142.251.33.14", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "407385024", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "9", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 52915, + "mac": "24:4B:FE:DD:C6:CE", + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214220017Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"142.251.33.14\" dst_country=\"USA\" protocol=\"UDP\" src_port=52915 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "mac": "00:50:56:9F:39:33", + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:13.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407386624", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "mac": "10:BF:48:7D:ED:22", + "ip": "192.168.2.121" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214221851Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386624\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "bytes": 168, + "mac": "00:50:56:9F:39:33", + "packets": 2, + "ip": "1.1.1.1" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "icmp", + "bytes": 336, + "packets": 4, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:13.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "1.1.1.1", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "icmp_type": "8", + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407385344", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Stop", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "bytes": 168, + "mac": "10:BF:48:7D:ED:22", + "packets": 2, + "ip": "192.168.2.121" + }, + "event": { + "duration": 37000000000, + "severity": 6, + "ingested": "2021-11-16T04:10:32.214223726Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "start": "2021-11-16T00:25:13.000Z", + "action": "allowed", + "end": "2021-11-16T00:25:50.000Z", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 53, + "mac": "00:50:56:9F:39:33", + "ip": "8.8.8.8" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "mac": "00:50:56:9F:39:33", + "ip": "8.8.8.8" + }, + "rule": { + "id": "12" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 34141, + "mac": "54:60:09:FD:33:EC", + "ip": "192.168.2.105" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:13.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "8.8.8.8", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "12", + "log_subtype": "Allowed", + "con_id": "407385344", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "app_technology": "Network Protocol", + "app_name": "DNS", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_risk": "1", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "12", + "app_category": "Infrastructure", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 34141, + "mac": "54:60:09:FD:33:EC", + "ip": "192.168.2.105" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214225562Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"8.8.8.8\" dst_country=\"USA\" protocol=\"UDP\" src_port=34141 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.250.113.138" + }, + "log": { + "level": "Information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "mac": "00:50:56:9F:39:33", + "ip": "142.250.113.138" + }, + "rule": { + "id": "11" + }, + "source": { + "nat": { + "ip": "192.168.1.2" + }, + "port": 51751, + "mac": "24:4B:FE:DD:C6:CE", + "ip": "192.168.2.41" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "product": "XG", + "vendor": "Sophos", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + } + }, + "@timestamp": "2021-11-16T00:25:13.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "142.250.113.138", + "192.168.1.2" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "device_model": "SFVH", + "web_policy_id": "1", + "log_subtype": "Allowed", + "con_id": "2719001088", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "message_id": "00001", + "app_is_cloud": "FALSE", + "device_name": "SFW", + "log_type": "Firewall", + "con_event": "Start", + "ether_type": "Unknown (0x0000)", + "app_resolved_by": "Signature", + "qualifier": "New", + "nat_rule_id": "9", + "log_version": "1", + "app_filter_policy_id": "6" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "port": 51751, + "mac": "24:4B:FE:DD:C6:CE", + "ip": "192.168.2.41" + }, + "event": { + "severity": 6, + "ingested": "2021-11-16T04:10:32.214227413Z", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"142.250.113.138\" dst_country=\"USA\" protocol=\"UDP\" src_port=51751 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "code": "010101600001", + "kind": "event", + "action": "allowed", + "category": [ + "network" + ], + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml index 5160ce60eec..bd7e154cbfb 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml @@ -72,23 +72,6 @@ processors: type: long ignore_failure: true ignore_missing: true -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - ignore_empty_value: true -- convert: - field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" - rename: field: sophos.xg.to_email_address target_field: destination.user.email @@ -121,23 +104,6 @@ processors: type: long ignore_failure: true ignore_missing: true -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - ignore_empty_value: true -- convert: - field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - rename: field: sophos.xg.from_email_address target_field: source.user.email @@ -231,9 +197,7 @@ processors: - remove: field: - sophos.xg.dst_port - - sophos.xg.recv_bytes - sophos.xg.src_port - - sophos.xg.sent_bytes ignore_missing: true on_failure: - set: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml index dae14727da5..ef78f6947b3 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml @@ -78,24 +78,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.port != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" - rename: field: sophos.xg.to_email_address target_field: destination.user.email @@ -132,24 +114,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.port != null" -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - rename: field: sophos.xg.user_name target_field: source.user.name @@ -338,8 +302,6 @@ processors: field: - sophos.xg.dst_port - sophos.xg.src_port - - sophos.xg.recv_bytes - - sophos.xg.sent_bytes - sophos.xg.status_code - sophos.xg.file_size ignore_missing: true diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml index 25bfe199e2a..2e18b0a1aa0 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml @@ -125,14 +125,21 @@ processors: ##################### - rename: field: sophos.xg.url - target_field: url.full + target_field: url.original ignore_missing: true - if: "ctx.sophos?.xg?.url != null" +- uri_parts: + field: url.original + target_field: url + if: "ctx.url?.original != null" +- set: + field: url.full + copy_from: url.original + ignore_empty_value: true - rename: field: sophos.xg.domain target_field: url.domain ignore_missing: true - if: "ctx.sophos?.xg?.domain != null" + if: ctx.url?.domain == null ############################ ## ECS User Agent Mapping ## @@ -148,11 +155,20 @@ processors: type: long ignore_missing: true if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" +- convert: + field: sophos.xg.http_status + target_field: http.response.status_code + type: long + ignore_missing: true + if: "ctx.sophos?.xg?.http_status != null && ctx.sophos?.xg?.http_status != '' && ctx.sophos?.xg?.http_status != '0'" - rename: field: sophos.xg.user_agent target_field: user_agent.original ignore_missing: true - if: "ctx.sophos?.xg?.user_agent != null" +- user_agent: + field: user_agent.original + target_field: user_agent + ignore_missing: true ############################# ## ECS Network/Geo Mapping ## @@ -268,8 +284,9 @@ processors: field: - sophos.xg.dst_port - sophos.xg.src_port - - sophos.xg.recv_bytes - - sophos.xg.sent_bytes + - sophos.xg.domain + - sophos.xg.http_status + - sophos.xg.http_user_agent ignore_missing: true on_failure: - set: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml index 03636f04962..d7a2facbf88 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -11,6 +11,8 @@ processors: field: message patterns: - '%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:event.original}$' + - '%{SYSLOG5424PRI}%{GREEDYDATA:event.original}$' + - '%{SYSLOGTIMESTAMP} %{HOSTNAME:observer.hostname} %{GREEDYDATA:event.original}$' # optimize fields / strings in event.original for KV processor - gsub: @@ -37,6 +39,11 @@ processors: field: _temp_.time value: "{{sophos.xg.date}} {{sophos.xg.time}}" if: ctx?.sophos?.xg?.date != null && ctx?.sophos?.xg?.time != null +- set: + field: _temp_.time + copy_from: sophos.xg.timestamp + ignore_empty_value: true + if: ctx._temp_?.time == null - date: if: "ctx.event.timezone == null" field: _temp_.time @@ -134,6 +141,10 @@ processors: field: event.severity type: long ignore_missing: true +- set: + field: log.level + copy_from: sophos.xg.severity + ignore_empty_value: true ########################## ## ECS Observer Mapping ## @@ -151,6 +162,10 @@ processors: field: sophos.xg.device_id target_field: observer.serial_number ignore_missing: true +- rename: + field: sophos.xg.device_serial_id + target_field: observer.serial_number + ignore_missing: true - rename: field: sophos.xg.out_interface target_field: observer.egress.interface.name @@ -160,11 +175,19 @@ processors: target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: sophos.xg.srczonetype + field: sophos.xg.srczone + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: sophos.xg.src_zone target_field: observer.ingress.zone ignore_missing: true - rename: - field: sophos.xg.dstzonetype + field: sophos.xg.dstzone + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: sophos.xg.dst_zone target_field: observer.egress.zone ignore_missing: true @@ -223,6 +246,7 @@ processors: - _conf - sophos.xg.date - sophos.xg.time + - sophos.xg.timestamp - sophos.xg.duration - sophos.xg.timezone - sophos.xg.dir_disp @@ -232,6 +256,10 @@ processors: - sophos.xg.nat_rule_id - sophos.xg.in_display_interface - sophos.xg.out_display_interface + - sophos.xg.srczonetype + - sophos.xg.dstzonetype + - sophos.xg.src_zone_type + - sophos.xg.dst_zone_type - syslog5424_pri ignore_missing: true @@ -240,6 +268,43 @@ processors: type: long ignore_missing: true ignore_failure: true + +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- convert: + field: sophos.xg.bytes_sent + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytes_sent != null" +- set: + field: client.bytes + copy_from: source.bytes + ignore_empty_value: true +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- convert: + field: sophos.xg.bytes_received + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytes_received != null" +- set: + field: server.bytes + copy_from: destination.bytes + ignore_empty_value: true ############################### ## Product Specific Pipelines ## @@ -277,6 +342,21 @@ processors: - pipeline: name: '{{ IngestPipeline "wifi" }}' if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + - sophos.xg.bytes_sent + - sophos.xg.bytes_received + - sophos.xg.severity + - sophos.xg.dst_country + - sophos.xg.src_country + - sophos.xg.out_display_interface + - sophos.xg.in_display_interface + ignore_missing: true - remove: field: event.original if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml index 11c9ca0df50..288d80f7666 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml @@ -80,24 +80,6 @@ processors: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" ############################### ## ECS Client/Source Mapping ## @@ -125,24 +107,6 @@ processors: field: client.mac value: '{{source.mac}}' if: "ctx.source?.mac != null" -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - rename: field: sophos.xg.user_name target_field: source.user.name @@ -267,9 +231,7 @@ processors: - remove: field: - sophos.xg.dst_port - - sophos.xg.recv_bytes - sophos.xg.src_port - - sophos.xg.sent_bytes - sophos.xg.name ignore_missing: true on_failure: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml index c4edb9f0960..5d03f43e046 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml @@ -62,8 +62,8 @@ processors: if: "ctx.sophos?.xg?.dst_ip != null" - set: field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" + copy_from: destination.ip + ignore_empty_value: true - rename: field: sophos.xg.tran_dst_ip target_field: destination.nat.ip @@ -83,15 +83,8 @@ processors: if: "ctx.sophos?.xg?.dst_port != null" - set: field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" + copy_from: destination.port + ignore_empty_value: true - convert: field: sophos.xg.tran_dst_port target_field: destination.nat.port @@ -101,15 +94,8 @@ processors: if: "ctx.sophos?.xg?.tran_dst_port != null" - set: field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" + copy_from: destination.nat.port + ignore_empty_value: true - rename: field: sophos.xg.dst_mac target_field: destination.mac @@ -117,26 +103,8 @@ processors: if: "ctx.sophos?.xg?.dst_mac != null" - set: field: server.mac - value: '{{destination.mac}}' - if: "ctx.destination?.mac != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" + copy_from: destination.mac + ignore_empty_value: true - convert: field: sophos.xg.recv_pkts target_field: destination.packets @@ -144,17 +112,17 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.recv_pkts !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" - convert: - field: server.packets - target_field: server.packets + field: sophos.xg.packets_received + target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.server?.packets != null" + if: "ctx.sophos?.xg?.packets_received !=null" +- set: + field: server.packets + copy_from: destination.packets + ignore_empty_value: true ############################### ## ECS Client/Source Mapping ## @@ -173,6 +141,11 @@ processors: target_field: source.nat.ip ignore_missing: true if: "ctx.sophos?.xg?.tran_src_ip != null" +- rename: + field: sophos.xg.src_trans_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_trans_ip != null" - rename: field: sophos.xg.sourceip target_field: source.ip @@ -223,26 +196,12 @@ processors: field: client.mac value: '{{source.mac}}' if: "ctx.source?.mac != null" -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - trim: field: sophos.xg.sent_pkts + ignore_missing: true +- trim: + field: sophos.xg.packets_sent + ignore_missing: true - convert: field: sophos.xg.sent_pkts target_field: source.packets @@ -250,17 +209,17 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.sent_pkts != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" - convert: - field: client.packets - target_field: client.packets + field: sophos.xg.packets_sent + target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.packets != null" + if: "ctx.sophos?.xg?.packets_sent != null" +- set: + field: client.packets + copy_from: source.packets + ignore_empty_value: true - rename: field: sophos.xg.user_name target_field: source.user.name @@ -441,12 +400,12 @@ processors: field: - sophos.xg.dst_port - sophos.xg.tran_dst_port - - sophos.xg.recv_bytes - sophos.xg.recv_pkts - sophos.xg.src_port - sophos.xg.tran_src_port - - sophos.xg.sent_bytes - sophos.xg.sent_pkts + - sophos.xg.packets_received + - sophos.xg.packets_sent ignore_missing: true on_failure: - set: diff --git a/packages/sophos/data_stream/xg/fields/ecs.yml b/packages/sophos/data_stream/xg/fields/ecs.yml index 6447dfc1353..6800fb6294f 100644 --- a/packages/sophos/data_stream/xg/fields/ecs.yml +++ b/packages/sophos/data_stream/xg/fields/ecs.yml @@ -145,6 +145,8 @@ name: observer.type - external: ecs name: observer.vendor +- external: ecs + name: observer.hostname - external: ecs name: related.hash - external: ecs @@ -173,6 +175,8 @@ name: server.packets - external: ecs name: server.port +- external: ecs + name: server.mac - external: ecs name: source.as.number - external: ecs diff --git a/packages/sophos/data_stream/xg/fields/fields.yml b/packages/sophos/data_stream/xg/fields/fields.yml index 6b4aa574230..1adcb2547e6 100644 --- a/packages/sophos/data_stream/xg/fields/fields.yml +++ b/packages/sophos/data_stream/xg/fields/fields.yml @@ -20,6 +20,10 @@ type: keyword description: | Model number of the device + - name: device_model + type: keyword + description: | + Model number of the device - name: device_id type: keyword description: | @@ -764,6 +768,86 @@ type: keyword description: | ethernet frame type + - name: app_category + type: keyword + description: | + Name of the category under which application falls + - name: app_name + type: keyword + description: | + Application name + - name: app_filter_policy_id + type: keyword + description: | + Application filter policy ID applied on the traffic + - name: app_resolved_by + type: keyword + description: | + Application is resolved by signature or synchronized application + - name: app_risk + type: keyword + description: | + Risk level assigned to the application + - name: app_technology + type: keyword + description: | + Technology of the application + - name: con_event + type: keyword + description: | + Event Start/Stop + - name: fw_rule_type + type: keyword + description: | + Firewall rule type which is applied on the traffic + - name: hb_status + type: keyword + description: | + Heartbeat status + - name: log_version + type: keyword + description: | + Log Version + - name: nat_rule_id + type: keyword + description: | + NAT Rule ID + - name: qualifier + type: keyword + description: | + Qualifier + - name: web_policy_id + type: keyword + description: | + Web policy ID + - name: content_type + type: keyword + description: | + Type of the content + - name: http_category + type: keyword + description: | + HTTP Category + - name: http_category_type + type: keyword + description: | + HTTP Category Type + - name: used_quota + type: keyword + description: | + Used Quota + - name: lease_time + type: keyword + description: | + Lease Time + - name: reported_host + type: keyword + description: | + Reported Host + - name: reported_ip + type: keyword + description: | + Reported IP - name: log.source.address type: keyword ignore_above: 1024 diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index 6298763f3dd..102fb377a91 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -1039,6 +1039,7 @@ An example event for `xg` looks as following: | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | | observer.ingress.interface.name | Interface name as reported by the system. | keyword | | observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.product | The product name of the observer. | keyword | @@ -1071,7 +1072,13 @@ An example event for `xg` looks as following: | sophos.xg.action | Event Action | keyword | | sophos.xg.activityname | Web policy activity that matched and caused the policy result. | keyword | | sophos.xg.ap | ap | keyword | +| sophos.xg.app_category | Name of the category under which application falls | keyword | +| sophos.xg.app_filter_policy_id | Application filter policy ID applied on the traffic | keyword | | sophos.xg.app_is_cloud | Application is Cloud | keyword | +| sophos.xg.app_name | Application name | keyword | +| sophos.xg.app_resolved_by | Application is resolved by signature or synchronized application | keyword | +| sophos.xg.app_risk | Risk level assigned to the application | keyword | +| sophos.xg.app_technology | Technology of the application | keyword | | sophos.xg.appfilter_policy_id | Application Filter policy applied on the traffic | integer | | sophos.xg.application | Application name | keyword | | sophos.xg.application_category | Application is resolved by signature or synchronized application | keyword | @@ -1092,12 +1099,14 @@ An example event for `xg` looks as following: | sophos.xg.client_physical_address | Client physical address | keyword | | sophos.xg.clients_conn_ssid | clients connection ssid | keyword | | sophos.xg.collisions | collisions | long | +| sophos.xg.con_event | Event Start/Stop | keyword | | sophos.xg.con_id | Unique identifier of connection | integer | | sophos.xg.conn_id | Unique identifier of connection | integer | | sophos.xg.connectionname | Connectionname | keyword | | sophos.xg.connectiontype | Connectiontype | keyword | | sophos.xg.connevent | Event on which this log is generated | keyword | | sophos.xg.connid | Connection ID | keyword | +| sophos.xg.content_type | Type of the content | keyword | | sophos.xg.contenttype | Type of the content | keyword | | sophos.xg.context_match | Context Match | keyword | | sophos.xg.context_prefix | Content Prefix | keyword | @@ -1107,6 +1116,7 @@ An example event for `xg` looks as following: | sophos.xg.destinationip | Original destination IP address of traffic | ip | | sophos.xg.device | device | keyword | | sophos.xg.device_id | Serial number of the device | keyword | +| sophos.xg.device_model | Model number of the device | keyword | | sophos.xg.device_name | Model number of the device | keyword | | sophos.xg.dictionary_name | Dictionary Name | keyword | | sophos.xg.dir_disp | TPacket direction. Possible values:“org”, “reply”, “” | keyword | @@ -1141,8 +1151,12 @@ An example event for `xg` looks as following: | sophos.xg.from_email_address | Sender email address | keyword | | sophos.xg.ftpcommand | FTP command used when virus was found | keyword | | sophos.xg.fw_rule_id | Firewall Rule ID which is applied on the traffic | integer | +| sophos.xg.fw_rule_type | Firewall rule type which is applied on the traffic | keyword | | sophos.xg.hb_health | Heartbeat status | keyword | +| sophos.xg.hb_status | Heartbeat status | keyword | | sophos.xg.host | Host | keyword | +| sophos.xg.http_category | HTTP Category | keyword | +| sophos.xg.http_category_type | HTTP Category Type | keyword | | sophos.xg.httpresponsecode | code of HTTP response | long | | sophos.xg.iap | Internet Access policy ID applied on the traffic | keyword | | sophos.xg.icmp_code | ICMP code of ICMP traffic | keyword | @@ -1154,17 +1168,20 @@ An example event for `xg` looks as following: | sophos.xg.interface | interface | keyword | | sophos.xg.ipaddress | Ipaddress | keyword | | sophos.xg.ips_policy_id | IPS policy ID applied on the traffic | integer | +| sophos.xg.lease_time | Lease Time | keyword | | sophos.xg.localgateway | Localgateway | keyword | | sophos.xg.localnetwork | Localnetwork | keyword | | sophos.xg.log_component | Component responsible for logging e.g. Firewall rule | keyword | | sophos.xg.log_id | Unique 12 characters code (0101011) | keyword | | sophos.xg.log_subtype | Sub type of event | keyword | | sophos.xg.log_type | Type of event e.g. firewall event | keyword | +| sophos.xg.log_version | Log Version | keyword | | sophos.xg.login_user | ATP login user | keyword | | sophos.xg.mailid | mailid | keyword | | sophos.xg.mailsize | mailsize | integer | | sophos.xg.message | Message | keyword | | sophos.xg.message_id | Message ID | keyword | +| sophos.xg.nat_rule_id | NAT Rule ID | keyword | | sophos.xg.newversion | Newversion | keyword | | sophos.xg.oldversion | Oldversion | keyword | | sophos.xg.out_interface | Interface for outgoing traffic, e.g., Port B | keyword | @@ -1175,6 +1192,7 @@ An example event for `xg` looks as following: | sophos.xg.policy_type | Policy type applied to the traffic | keyword | | sophos.xg.priority | Severity level of traffic | keyword | | sophos.xg.protocol | Protocol number of traffic | keyword | +| sophos.xg.qualifier | Qualifier | keyword | | sophos.xg.quarantine | Path and filename of the file quarantined | keyword | | sophos.xg.quarantine_reason | Quarantine reason | keyword | | sophos.xg.querystring | querystring | keyword | @@ -1189,6 +1207,8 @@ An example event for `xg` looks as following: | sophos.xg.referer | Referer | keyword | | sophos.xg.remote_ip | Remote IP | ip | | sophos.xg.remotenetwork | remotenetwork | keyword | +| sophos.xg.reported_host | Reported Host | keyword | +| sophos.xg.reported_ip | Reported IP | keyword | | sophos.xg.responsetime | Responsetime | long | | sophos.xg.rule_priority | Priority of IPS policy | keyword | | sophos.xg.sent_bytes | Total number of bytes sent | long | @@ -1239,6 +1259,7 @@ An example event for `xg` looks as following: | sophos.xg.upload_file_type | Upload file type | keyword | | sophos.xg.url | URL from which virus was downloaded | keyword | | sophos.xg.used | used | integer | +| sophos.xg.used_quota | Used Quota | keyword | | sophos.xg.user | User | keyword | | sophos.xg.user_cpu | system | float | | sophos.xg.user_gp | Group name to which the user belongs. | keyword | @@ -1247,6 +1268,7 @@ An example event for `xg` looks as following: | sophos.xg.users | users | keyword | | sophos.xg.vconn_id | Connection ID of the master connection | integer | | sophos.xg.virus | virus name | keyword | +| sophos.xg.web_policy_id | Web policy ID | keyword | | sophos.xg.website | Website | keyword | | sophos.xg.xss | related XSS caught by the WAF | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index adca0b788a7..3a89e018082 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 1.2.1 +version: 1.2.2 description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga From 0262008455f661e20dbdc4bd58f3f6c62d98a371 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Thu, 31 Mar 2022 13:46:27 +0000 Subject: [PATCH 2/6] update pipelines after rebase --- .../_dev/test/pipeline/test-common-config.yml | 2 - .../pipeline/test-generated.log-expected.json | 300 - .../elasticsearch/ingest_pipeline/default.yml | 3 - .../_dev/test/pipeline/test-common-config.yml | 2 - .../xg/_dev/test/pipeline/test-sophos-xg.log | 6 +- .../pipeline/test-sophos-xg.log-expected.json | 218 +- .../test/pipeline/test-xg-cfilter-new.log | 94 +- .../test-xg-cfilter-new.log-expected.json | 7472 ++++++++-------- .../test-xg-event-new.log-expected.json | 147 +- .../test/pipeline/test-xg-firewall-new.log | 90 +- .../test-xg-firewall-new.log-expected.json | 7758 +++++++++-------- .../elasticsearch/ingest_pipeline/default.yml | 3 - 12 files changed, 7917 insertions(+), 8178 deletions(-) diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-common-config.yml b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-common-config.yml +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json index abcd92a8aef..b6d403c9205 100644 --- a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json @@ -4,9 +4,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570966135Z" - }, "message": "2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", "tags": [ "preserve_original_event" @@ -16,9 +13,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570972928Z" - }, "message": "2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu", "tags": [ "preserve_original_event" @@ -28,9 +22,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570974585Z" - }, "message": "2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin", "tags": [ "preserve_original_event" @@ -40,9 +31,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570976044Z" - }, "message": "2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq", "tags": [ "preserve_original_event" @@ -52,9 +40,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570977317Z" - }, "message": "2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations", "tags": [ "preserve_original_event" @@ -64,9 +49,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570978540Z" - }, "message": "2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", "tags": [ "preserve_original_event" @@ -76,9 +58,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570979753Z" - }, "message": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", "tags": [ "preserve_original_event" @@ -88,9 +67,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570980980Z" - }, "message": "2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port!", "tags": [ "preserve_original_event" @@ -100,9 +76,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570982181Z" - }, "message": "2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode", "tags": [ "preserve_original_event" @@ -112,9 +85,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570983402Z" - }, "message": "2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version=\"rsi\"; loaded version=\"taliqui\"", "tags": [ "preserve_original_event" @@ -124,9 +94,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570984622Z" - }, "message": "2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run?", "tags": [ "preserve_original_event" @@ -136,9 +103,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570986105Z" - }, "message": "2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem)", "tags": [ "preserve_original_event" @@ -148,9 +112,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570987332Z" - }, "message": "2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno", "tags": [ "preserve_original_event" @@ -160,9 +121,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570988617Z" - }, "message": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", "tags": [ "preserve_original_event" @@ -172,9 +130,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570989850Z" - }, "message": "2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676", "tags": [ "preserve_original_event" @@ -184,9 +139,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570991171Z" - }, "message": "2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip", "tags": [ "preserve_original_event" @@ -196,9 +148,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570992504Z" - }, "message": "2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn", "tags": [ "preserve_original_event" @@ -208,9 +157,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570993723Z" - }, "message": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", "tags": [ "preserve_original_event" @@ -220,9 +166,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570994918Z" - }, "message": "2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe", "tags": [ "preserve_original_event" @@ -232,9 +175,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570996148Z" - }, "message": "2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti", "tags": [ "preserve_original_event" @@ -244,9 +184,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570997410Z" - }, "message": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", "tags": [ "preserve_original_event" @@ -256,9 +193,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570998686Z" - }, "message": "2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau.", "tags": [ "preserve_original_event" @@ -268,9 +202,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570999885Z" - }, "message": "2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name", "tags": [ "preserve_original_event" @@ -280,9 +211,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571001229Z" - }, "message": "2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting", "tags": [ "preserve_original_event" @@ -292,9 +220,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571002420Z" - }, "message": "2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713", "tags": [ "preserve_original_event" @@ -304,9 +229,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571003645Z" - }, "message": "2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri", "tags": [ "preserve_original_event" @@ -316,9 +238,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571004885Z" - }, "message": "2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide.", "tags": [ "preserve_original_event" @@ -328,9 +247,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571006091Z" - }, "message": "2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp", "tags": [ "preserve_original_event" @@ -340,9 +256,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571007384Z" - }, "message": "2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat", "tags": [ "preserve_original_event" @@ -352,9 +265,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571008590Z" - }, "message": "2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme", "tags": [ "preserve_original_event" @@ -364,9 +274,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571009867Z" - }, "message": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", "tags": [ "preserve_original_event" @@ -376,9 +283,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571011070Z" - }, "message": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", "tags": [ "preserve_original_event" @@ -388,9 +292,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571012267Z" - }, "message": "2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully", "tags": [ "preserve_original_event" @@ -400,9 +301,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571013483Z" - }, "message": "2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit", "tags": [ "preserve_original_event" @@ -412,9 +310,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571014826Z" - }, "message": "2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem", "tags": [ "preserve_original_event" @@ -424,9 +319,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571016122Z" - }, "message": "2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version=\"everi\"; loaded version=\"squ\"", "tags": [ "preserve_original_event" @@ -436,9 +328,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571017376Z" - }, "message": "2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7", "tags": [ "preserve_original_event" @@ -448,9 +337,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571018607Z" - }, "message": "2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"olor\"] [maturity \"corpo\"] [accuracy \"commod\"] iumd [hostname \"ntore4333.api.invalid\"] [uri \"sitv\"] [unique_id \"equam\"]", "tags": [ "preserve_original_event" @@ -460,9 +346,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571019823Z" - }, "message": "2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits", "tags": [ "preserve_original_event" @@ -472,9 +355,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571021111Z" - }, "message": "2017:8:8-16:50:15 elillu5777.www5.lan pluto: \"elaudant\"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number", "tags": [ "preserve_original_event" @@ -484,9 +364,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571022334Z" - }, "message": "2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide", "tags": [ "preserve_original_event" @@ -496,9 +373,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571023608Z" - }, "message": "2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]...", "tags": [ "preserve_original_event" @@ -508,9 +382,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571024842Z" - }, "message": "2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve", "tags": [ "preserve_original_event" @@ -520,9 +391,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571026060Z" - }, "message": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", "tags": [ "preserve_original_event" @@ -532,9 +400,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571027282Z" - }, "message": "2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", "tags": [ "preserve_original_event" @@ -544,9 +409,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571028500Z" - }, "message": "2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt", "tags": [ "preserve_original_event" @@ -556,9 +418,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571029717Z" - }, "message": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", "tags": [ "preserve_original_event" @@ -568,9 +427,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571031068Z" - }, "message": "2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response", "tags": [ "preserve_original_event" @@ -580,9 +436,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571032318Z" - }, "message": "2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started", "tags": [ "preserve_original_event" @@ -592,9 +445,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571033555Z" - }, "message": "2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip", "tags": [ "preserve_original_event" @@ -604,9 +454,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571034882Z" - }, "message": "2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD)", "tags": [ "preserve_original_event" @@ -616,9 +463,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571036083Z" - }, "message": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", "tags": [ "preserve_original_event" @@ -628,9 +472,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571037681Z" - }, "message": "2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque", "tags": [ "preserve_original_event" @@ -640,9 +481,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571038964Z" - }, "message": "2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu", "tags": [ "preserve_original_event" @@ -652,9 +490,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571040184Z" - }, "message": "2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups", "tags": [ "preserve_original_event" @@ -664,9 +499,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571041553Z" - }, "message": "2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae", "tags": [ "preserve_original_event" @@ -676,9 +508,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571042868Z" - }, "message": "2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide", "tags": [ "preserve_original_event" @@ -688,9 +517,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571044095Z" - }, "message": "2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure", "tags": [ "preserve_original_event" @@ -700,9 +526,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571045328Z" - }, "message": "2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file \"runtmoll\"] [line \"tuserror\"] [id \"utlabo\"] [rev \"scip\"] [msg \"imvenia\"] [severity \"low\"] [ver \"1.6420\"] [maturity \"nisi\"] [accuracy \"seq\"] [tag \"ors\"] [hostname \"olupta3647.host\"] [uri \"uaUteni\"] [unique_id \"gitsedqu\"]amqu", "tags": [ "preserve_original_event" @@ -712,9 +535,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571046650Z" - }, "message": "2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit", "tags": [ "preserve_original_event" @@ -724,9 +544,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571047832Z" - }, "message": "2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas", "tags": [ "preserve_original_event" @@ -736,9 +553,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571049060Z" - }, "message": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", "tags": [ "preserve_original_event" @@ -748,9 +562,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571050316Z" - }, "message": "2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", "tags": [ "preserve_original_event" @@ -760,9 +571,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571053005Z" - }, "message": "2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID", "tags": [ "preserve_original_event" @@ -772,9 +580,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571054246Z" - }, "message": "2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec", "tags": [ "preserve_original_event" @@ -784,9 +589,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571055513Z" - }, "message": "2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER", "tags": [ "preserve_original_event" @@ -796,9 +598,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571056742Z" - }, "message": "2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", "tags": [ "preserve_original_event" @@ -808,9 +607,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571057980Z" - }, "message": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", "tags": [ "preserve_original_event" @@ -820,9 +616,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571059234Z" - }, "message": "2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce", "tags": [ "preserve_original_event" @@ -832,9 +625,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571060463Z" - }, "message": "2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru", "tags": [ "preserve_original_event" @@ -844,9 +634,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571061685Z" - }, "message": "2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt", "tags": [ "preserve_original_event" @@ -856,9 +643,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571062910Z" - }, "message": "2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506.", "tags": [ "preserve_original_event" @@ -868,9 +652,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571064152Z" - }, "message": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "tags": [ "preserve_original_event" @@ -880,9 +661,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571065382Z" - }, "message": "2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi.", "tags": [ "preserve_original_event" @@ -892,9 +670,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571066792Z" - }, "message": "2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr", "tags": [ "preserve_original_event" @@ -904,9 +679,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571068045Z" - }, "message": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "tags": [ "preserve_original_event" @@ -916,9 +688,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571069234Z" - }, "message": "2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file \"apa\"] [line \"tani\"] [id \"per\"] [rev \"ngelitse\"] [msg \"olorsita\"] [severity \"medium\"] [ver \"1.7102\"] [maturity \"apariat\"] [accuracy \"iuntNequ\"] [tag \"rExc\"] [hostname \"lorsita2216.www5.example\"] [uri \"turvelil\"] [unique_id \"velitsed\"]rau", "tags": [ "preserve_original_event" @@ -928,9 +697,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571070448Z" - }, "message": "2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae", "tags": [ "preserve_original_event" @@ -940,9 +706,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571071879Z" - }, "message": "2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu", "tags": [ "preserve_original_event" @@ -952,9 +715,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571073173Z" - }, "message": "2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133", "tags": [ "preserve_original_event" @@ -964,9 +724,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571074390Z" - }, "message": "2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111)", "tags": [ "preserve_original_event" @@ -976,9 +733,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571075620Z" - }, "message": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", "tags": [ "preserve_original_event" @@ -988,9 +742,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571076845Z" - }, "message": "2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started", "tags": [ "preserve_original_event" @@ -1000,9 +751,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571078071Z" - }, "message": "2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file \"alorumw\"] [line \"nibus\"] [id \"eiusmo\"] [msg \"rci\"] [hostname \"seosquir715.local\"] [uri \"ercitati\"] [unique_id \"uiration\"]", "tags": [ "preserve_original_event" @@ -1012,9 +760,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571079509Z" - }, "message": "2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111)", "tags": [ "preserve_original_event" @@ -1024,9 +769,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571081102Z" - }, "message": "2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", "tags": [ "preserve_original_event" @@ -1036,9 +778,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571082321Z" - }, "message": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", "tags": [ "preserve_original_event" @@ -1048,9 +787,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571083518Z" - }, "message": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", "tags": [ "preserve_original_event" @@ -1060,9 +796,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571084709Z" - }, "message": "2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured.", "tags": [ "preserve_original_event" @@ -1072,9 +805,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571085920Z" - }, "message": "2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run?", "tags": [ "preserve_original_event" @@ -1084,9 +814,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571087216Z" - }, "message": "2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu", "tags": [ "preserve_original_event" @@ -1096,9 +823,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571088516Z" - }, "message": "2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", "tags": [ "preserve_original_event" @@ -1108,9 +832,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571089753Z" - }, "message": "2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele", "tags": [ "preserve_original_event" @@ -1120,9 +841,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571090975Z" - }, "message": "2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs", "tags": [ "preserve_original_event" @@ -1132,9 +850,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571092209Z" - }, "message": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", "tags": [ "preserve_original_event" @@ -1144,9 +859,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571093406Z" - }, "message": "2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori ()", "tags": [ "preserve_original_event" @@ -1156,9 +868,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571095026Z" - }, "message": "2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat", "tags": [ "preserve_original_event" @@ -1168,9 +877,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571096344Z" - }, "message": "2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud", "tags": [ "preserve_original_event" @@ -1180,9 +886,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571097573Z" - }, "message": "2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico", "tags": [ "preserve_original_event" @@ -1192,9 +895,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571098784Z" - }, "message": "2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER", "tags": [ "preserve_original_event" diff --git a/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml index 283016c3840..a63315d74eb 100644 --- a/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml @@ -3,9 +3,6 @@ description: Pipeline for Astaro Security Gateway processors: # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '8.0.0' diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml index 0556659ac27..090511e4081 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log index 0aa7ac01d7e..a4c717ab9ad 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log @@ -9,8 +9,8 @@ <30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" <30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 <30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 -<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" status_code=403 <30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" <30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" <30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" @@ -87,5 +87,5 @@ <30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 <30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 <30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 -<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.128.3.4 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=89.160.20.156 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 <01>device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat"message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index a0320d31828..3312263bc5c 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -22,7 +22,6 @@ "network" ], "code": "041101618035", - "ingested": "2022-01-25T18:09:20.135227957Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -123,7 +122,6 @@ "network" ], "code": "041105613003", - "ingested": "2022-01-25T18:09:20.135231432Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -241,7 +239,6 @@ "network" ], "code": "041107413001", - "ingested": "2022-01-25T18:09:20.135232820Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=BRA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", @@ -360,7 +357,6 @@ "network" ], "code": "045908413004", - "ingested": "2022-01-25T18:09:20.135234008Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "outcome": "success", @@ -467,7 +463,6 @@ "network" ], "code": "041113413005", - "ingested": "2022-01-25T18:09:20.135235177Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", @@ -562,7 +557,6 @@ "network" ], "code": "041114413006", - "ingested": "2022-01-25T18:09:20.135236287Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", @@ -657,7 +651,6 @@ "network" ], "code": "041121613009", - "ingested": "2022-01-25T18:09:20.135237408Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "outcome": "success", @@ -751,7 +744,6 @@ "network" ], "code": "041122613010", - "ingested": "2022-01-25T18:09:20.135238559Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -842,7 +834,6 @@ "network" ], "code": "041123413012", - "ingested": "2022-01-25T18:09:20.135239698Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -931,7 +922,6 @@ "network" ], "code": "041102413014", - "ingested": "2022-01-25T18:09:20.135240905Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "outcome": "success", @@ -1025,7 +1015,6 @@ "network" ], "code": "041207414001", - "ingested": "2022-01-25T18:09:20.135241998Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -1130,9 +1119,8 @@ "network" ], "code": "030906208001", - "ingested": "2022-01-25T18:09:20.135243272Z", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36\" status_code=403", "outcome": "success", "severity": 2, "type": [ @@ -1217,7 +1205,7 @@ "original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" } }, { @@ -1254,9 +1242,8 @@ "network" ], "code": "030906208001", - "ingested": "2022-01-25T18:09:20.135244374Z", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36\" status_code=403", "outcome": "success", "severity": 2, "type": [ @@ -1341,7 +1328,7 @@ "original": "http://sophostest.com/eicar/index.html" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" } }, { @@ -1381,7 +1368,6 @@ "network" ], "code": "031106210001", - "ingested": "2022-01-25T18:09:20.135245470Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "outcome": "success", @@ -1506,7 +1492,6 @@ "network" ], "code": "031106210001", - "ingested": "2022-01-25T18:09:20.135246645Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "outcome": "success", @@ -1619,7 +1604,6 @@ "network" ], "code": "036106211001", - "ingested": "2022-01-25T18:09:20.135247790Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -1721,7 +1705,6 @@ "network" ], "code": "036206212001", - "ingested": "2022-01-25T18:09:20.135249072Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -1820,7 +1803,6 @@ "network" ], "code": "031006209001", - "ingested": "2022-01-25T18:09:20.135250287Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "outcome": "success", @@ -1915,7 +1897,6 @@ "network" ], "code": "031001609002", - "ingested": "2022-01-25T18:09:20.135251475Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "outcome": "success", @@ -2018,7 +1999,6 @@ ], "code": "086304418010", "id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", - "ingested": "2022-01-25T18:09:20.135255300Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "outcome": "success", @@ -2119,7 +2099,6 @@ ], "code": "086504418010", "id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", - "ingested": "2022-01-25T18:09:20.135256561Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "outcome": "success", @@ -2225,7 +2204,6 @@ ], "code": "086504418010", "id": "34AC8531-E7C0-4368-9978-5740952EE9AB", - "ingested": "2022-01-25T18:09:20.135257645Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "outcome": "success", @@ -2331,7 +2309,6 @@ ], "code": "086320518009", "id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", - "ingested": "2022-01-25T18:09:20.135258798Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "outcome": "success", @@ -2396,10 +2373,12 @@ { "@timestamp": "2017-01-31T14:03:33.000Z", "client": { + "bytes": 0, "ip": "10.198.47.71", "port": 9444 }, "destination": { + "bytes": 319007, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2424,7 +2403,6 @@ "network" ], "code": "050901616001", - "ingested": "2022-01-25T18:09:20.135260064Z", "kind": "event", "original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "outcome": "success", @@ -2462,6 +2440,7 @@ ] }, "server": { + "bytes": 319007, "ip": "175.16.199.1", "port": 443 }, @@ -2481,6 +2460,7 @@ } }, "source": { + "bytes": 0, "ip": "10.198.47.71", "port": 9444, "user": { @@ -2495,16 +2475,21 @@ ], "url": { "domain": "r8---sn-ci5gup-qxas.googlevideo.com", - "full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" + "full": "https://r8---sn-ci5gup-qxas.googlevideo.com/", + "original": "https://r8---sn-ci5gup-qxas.googlevideo.com/", + "path": "/", + "scheme": "https" } }, { "@timestamp": "2017-02-01T18:20:21.000Z", "client": { + "bytes": 0, "ip": "175.16.199.1", "port": 46719 }, "destination": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2530,7 +2515,6 @@ "network" ], "code": "050902616002", - "ingested": "2022-01-25T18:09:20.135261252Z", "kind": "alert", "original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion \u0026 Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "outcome": "success", @@ -2565,6 +2549,7 @@ ] }, "server": { + "bytes": 0, "ip": "175.16.199.1", "port": 80 }, @@ -2584,6 +2569,7 @@ } }, "source": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2604,16 +2590,21 @@ ], "url": { "domain": "hanuman.com", - "full": "http://hanuman.com/" + "full": "http://hanuman.com/", + "original": "http://hanuman.com/", + "path": "/", + "scheme": "http" } }, { "@timestamp": "2017-02-01T18:13:29.000Z", "client": { + "bytes": 0, "ip": "175.16.199.1", "port": 49128 }, "destination": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2639,7 +2630,6 @@ "network" ], "code": "054402617051", - "ingested": "2022-01-25T18:09:20.135262360Z", "kind": "alert", "original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "outcome": "success", @@ -2674,6 +2664,7 @@ ] }, "server": { + "bytes": 0, "ip": "175.16.199.1", "port": 5228 }, @@ -2699,6 +2690,7 @@ } }, "source": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2721,10 +2713,12 @@ { "@timestamp": "2020-05-18T14:38:51.000Z", "client": { + "bytes": 259, "ip": "175.16.199.1", "port": 62851 }, "destination": { + "bytes": 168, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2749,7 +2743,6 @@ "network" ], "code": "050901616001", - "ingested": "2022-01-25T18:09:20.135263550Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", @@ -2788,6 +2781,7 @@ ] }, "server": { + "bytes": 168, "ip": "175.16.199.1", "port": 443 }, @@ -2810,6 +2804,7 @@ } }, "source": { + "bytes": 259, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2830,16 +2825,21 @@ ], "url": { "domain": "his-eur1-neur1.servicebus.windows.net", - "full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" + "full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket", + "original": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket", + "path": "/$servicebus/websocket", + "scheme": "https" } }, { "@timestamp": "2020-05-18T14:38:52.000Z", "client": { + "bytes": 0, "ip": "175.16.199.1", "port": 60471 }, "destination": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2865,7 +2865,6 @@ "network" ], "code": "050902616002", - "ingested": "2022-01-25T18:09:20.135310046Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://175.16.199.1/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", @@ -2905,6 +2904,7 @@ ] }, "server": { + "bytes": 0, "ip": "175.16.199.1", "port": 443 }, @@ -2927,6 +2927,7 @@ } }, "source": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2947,16 +2948,21 @@ ], "url": { "domain": "175.16.199.1", - "full": "https://175.16.199.1/" + "full": "https://175.16.199.1/", + "original": "https://175.16.199.1/", + "path": "/", + "scheme": "https" } }, { "@timestamp": "2020-05-18T14:38:53.000Z", "client": { + "bytes": 980, "ip": "175.16.199.1", "port": 65391 }, "destination": { + "bytes": 295, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2981,7 +2987,6 @@ "network" ], "code": "050901616001", - "ingested": "2022-01-25T18:09:20.135312580Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", @@ -3020,6 +3025,7 @@ ] }, "server": { + "bytes": 295, "ip": "175.16.199.1", "port": 80 }, @@ -3043,6 +3049,7 @@ } }, "source": { + "bytes": 980, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -3063,10 +3070,21 @@ ], "url": { "domain": "update.eset.com", - "full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" + "extension": "signed", + "full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "original": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "path": "/eset_upd/ep7/dll/update.ver.signed", + "scheme": "http" }, "user_agent": { - "original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " + "device": { + "name": "Other" + }, + "name": "Other", + "original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; ", + "os": { + "name": "Windows" + } } }, { @@ -3083,7 +3101,6 @@ "network" ], "code": "058420116010", - "ingested": "2022-01-25T18:09:20.135330482Z", "kind": "event", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "outcome": "success", @@ -3140,10 +3157,12 @@ { "@timestamp": "2016-12-02T18:50:20.000Z", "client": { + "bytes": 0, "ip": "192.168.73.220", "port": 37832 }, "destination": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -3168,7 +3187,6 @@ "network" ], "code": "050927616005", - "ingested": "2022-01-25T18:09:20.135331895Z", "kind": "event", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "outcome": "success", @@ -3206,6 +3224,7 @@ ] }, "server": { + "bytes": 0, "ip": "175.16.199.1", "port": 80 }, @@ -3226,6 +3245,7 @@ } }, "source": { + "bytes": 0, "ip": "192.168.73.220", "port": 37832, "user": { @@ -3240,16 +3260,21 @@ ], "url": { "domain": "www.google.com", - "full": "http://www.google.com/" + "full": "http://www.google.com/", + "original": "http://www.google.com/", + "path": "/", + "scheme": "http" } }, { "@timestamp": "2016-12-02T18:50:22.000Z", "client": { + "bytes": 0, "ip": "192.168.73.220", "port": 46322 }, "destination": { + "bytes": 619, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -3274,7 +3299,6 @@ "network" ], "code": "050901616006", - "ingested": "2022-01-25T18:09:20.135333219Z", "kind": "event", "original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "outcome": "success", @@ -3312,6 +3336,7 @@ ] }, "server": { + "bytes": 619, "ip": "175.16.199.1", "port": 80 }, @@ -3334,6 +3359,7 @@ } }, "source": { + "bytes": 0, "ip": "192.168.73.220", "port": 46322, "user": { @@ -3348,7 +3374,11 @@ ], "url": { "domain": "www.google.ca", - "full": "http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw" + "full": "http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "original": "http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "path": "/", + "query": "gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "scheme": "http" } }, { @@ -3364,7 +3394,6 @@ "authentication" ], "code": "062910617701", - "ingested": "2022-01-25T18:09:20.135334330Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1\" name=\"elastic.user@elastic.test.com\" src_mac=", "outcome": "success", @@ -3465,7 +3494,6 @@ }, "event": { "code": "062511418055", - "ingested": "2022-01-25T18:09:20.135335499Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=175.16.199.1 localgateway=\"\" localnetwork=\"175.16.199.1/19\" remoteinterfaceip=175.16.199.1 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)\"", "severity": 4 @@ -3543,7 +3571,6 @@ }, "event": { "code": "062511318057", - "ingested": "2022-01-25T18:09:20.135336907Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "severity": 3 @@ -3596,7 +3623,6 @@ "authentication" ], "code": "063210617704", - "ingested": "2022-01-25T18:09:20.135338020Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "outcome": "success", @@ -3679,7 +3705,6 @@ "malware" ], "code": "064011517819", - "ingested": "2022-01-25T18:09:20.135339130Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "severity": 5, @@ -3730,7 +3755,6 @@ }, "event": { "code": "063411660022", - "ingested": "2022-01-25T18:09:20.135340265Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "severity": 6 @@ -3784,7 +3808,6 @@ "authentication" ], "code": "063110617710", - "ingested": "2022-01-25T18:09:20.135341408Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "outcome": "success", @@ -3869,7 +3892,6 @@ }, "event": { "code": "062811617824", - "ingested": "2022-01-25T18:09:20.135342555Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "severity": 6 @@ -3911,8 +3933,7 @@ "priority": "Information", "remote_ip": "10.82.234.12", "starttime": "0", - "status": "Established", - "timestamp": "1589960866" + "status": "Established" } }, "source": { @@ -3938,7 +3959,6 @@ "authentication" ], "code": "063010517708", - "ingested": "2022-01-25T18:09:20.135343685Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=175.16.199.1 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "outcome": "failure", @@ -4014,7 +4034,6 @@ }, "event": { "code": "066911518017", - "ingested": "2022-01-25T18:09:20.135344773Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "severity": 5 @@ -4065,7 +4084,6 @@ }, "event": { "code": "062009617502", - "ingested": "2022-01-25T18:09:20.135345885Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 syslog_server_name='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", "severity": 6 @@ -4127,7 +4145,6 @@ }, "event": { "code": "062109517507", - "ingested": "2022-01-25T18:09:20.135347028Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=175.16.199.1 message=\"User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials\"", "outcome": "failure", @@ -4198,7 +4215,6 @@ }, "event": { "code": "063911517818", - "ingested": "2022-01-25T18:09:20.135348182Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "severity": 5 @@ -4246,7 +4262,6 @@ }, "event": { "code": "063311617923", - "ingested": "2022-01-25T18:09:20.135349285Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "severity": 6 @@ -4303,7 +4318,6 @@ "authentication" ], "code": "062910617703", - "ingested": "2022-01-25T18:09:20.135352670Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "outcome": "success", @@ -4352,8 +4366,7 @@ "message_id": "17703", "priority": "Information", "start_time": "1591086575", - "status": "Successful", - "timestamp": "1591086576" + "status": "Successful" } }, "source": { @@ -4388,7 +4401,6 @@ "code": "066811618014", "duration": 164000000000000, "end": "2017-03-18T10:29:21.000Z", - "ingested": "2022-01-25T18:09:20.135353958Z", "kind": "event", "original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "severity": 6, @@ -4452,7 +4464,6 @@ "code": "066811618015", "duration": 0, "end": "2017-03-16T12:53:27.000Z", - "ingested": "2022-01-25T18:09:20.135355121Z", "kind": "event", "original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "severity": 6, @@ -4516,7 +4527,6 @@ "code": "066811618016", "duration": 0, "end": "2017-03-16T12:46:26.000Z", - "ingested": "2022-01-25T18:09:20.135356337Z", "kind": "event", "original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "severity": 6, @@ -4572,7 +4582,6 @@ }, "event": { "code": "063711517815", - "ingested": "2022-01-25T18:09:20.135357620Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1.customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "severity": 5 @@ -4657,7 +4666,6 @@ "code": "010101600001", "duration": 11000000000, "end": "2020-05-18T14:38:48.000Z", - "ingested": "2022-01-25T18:09:20.135358729Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -4817,7 +4825,6 @@ "code": "010101600001", "duration": 0, "end": "2020-05-18T14:38:38.000Z", - "ingested": "2022-01-25T18:09:20.135359849Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -4977,7 +4984,6 @@ "code": "010102600002", "duration": 0, "end": "2020-05-18T14:38:39.000Z", - "ingested": "2022-01-25T18:09:20.135361010Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5112,7 +5118,6 @@ "code": "010102600002", "duration": 0, "end": "2020-05-18T14:38:40.000Z", - "ingested": "2022-01-25T18:09:20.135362180Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5257,7 +5262,6 @@ "code": "010302602002", "duration": 0, "end": "2020-05-18T14:38:41.000Z", - "ingested": "2022-01-25T18:09:20.135363324Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5388,7 +5392,6 @@ "code": "010102600002", "duration": 0, "end": "2020-05-18T14:38:42.000Z", - "ingested": "2022-01-25T18:09:20.135364500Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5535,7 +5538,6 @@ "code": "010402403001", "duration": 0, "end": "2020-05-18T14:38:43.000Z", - "ingested": "2022-01-25T18:09:20.135365602Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5666,7 +5668,6 @@ "code": "012802605201", "duration": 0, "end": "2020-05-18T14:38:44.000Z", - "ingested": "2022-01-25T18:09:20.135366715Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5797,7 +5798,6 @@ "code": "010101600001", "duration": 0, "end": "2020-05-18T14:38:45.000Z", - "ingested": "2022-01-25T18:09:20.135367828Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5949,7 +5949,6 @@ "code": "018201500005", "duration": 0, "end": "2020-05-18T14:38:45.000Z", - "ingested": "2022-01-25T18:09:20.135368977Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -6081,7 +6080,6 @@ "code": "010101600001", "duration": 10000000000, "end": "2020-06-05T12:39:03.000Z", - "ingested": "2022-01-25T18:09:20.135370140Z", "kind": "event", "original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "outcome": "success", @@ -6100,10 +6098,10 @@ "level": "informational" }, "network": { - "transport": "tcp", "bytes": 3534, + "direction": "internal", "packets": 12, - "direction": "internal" + "transport": "tcp" }, "observer": { "egress": { @@ -6233,7 +6231,6 @@ "code": "010202601001", "duration": 0, "end": "2018-05-30T13:26:37.000Z", - "ingested": "2022-01-25T18:09:20.135371251Z", "kind": "event", "original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "outcome": "success", @@ -6346,7 +6343,6 @@ "code": "011402601301", "duration": 0, "end": "2018-06-04T17:20:24.000Z", - "ingested": "2022-01-25T18:09:20.135372416Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", @@ -6458,7 +6454,6 @@ "code": "010302602002", "duration": 0, "end": "2018-05-30T14:01:32.000Z", - "ingested": "2022-01-25T18:09:20.135373544Z", "kind": "event", "original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", @@ -6578,7 +6573,6 @@ "code": "010402403001", "duration": 0, "end": "2018-05-30T14:17:17.000Z", - "ingested": "2022-01-25T18:09:20.135374751Z", "kind": "alert", "original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "outcome": "success", @@ -6694,7 +6688,6 @@ "code": "010502604001", "duration": 0, "end": "2018-06-05T14:30:31.000Z", - "ingested": "2022-01-25T18:09:20.135375907Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "outcome": "success", @@ -6819,7 +6812,6 @@ "code": "010602605001", "duration": 0, "end": "2018-05-31T17:05:14.000Z", - "ingested": "2022-01-25T18:09:20.135377004Z", "kind": "alert", "original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", @@ -6932,7 +6924,6 @@ "code": "011702605051", "duration": 0, "end": "2018-05-30T15:09:51.000Z", - "ingested": "2022-01-25T18:09:20.135378106Z", "kind": "event", "original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", @@ -7049,7 +7040,6 @@ "code": "016602600006", "duration": 0, "end": "2018-06-01T10:57:55.000Z", - "ingested": "2022-01-25T18:09:20.135379242Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -7180,7 +7170,6 @@ "code": "016602600003", "duration": 0, "end": "2018-06-01T10:55:41.000Z", - "ingested": "2022-01-25T18:09:20.135380384Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -7300,7 +7289,6 @@ "network" ], "code": "020804407002", - "ingested": "2022-01-25T18:09:20.135381589Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "outcome": "success", @@ -7413,7 +7401,6 @@ "network" ], "code": "020804407002", - "ingested": "2022-01-25T18:09:20.135382782Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "outcome": "success", @@ -7526,7 +7513,6 @@ "network" ], "code": "020804407002", - "ingested": "2022-01-25T18:09:20.135383940Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "outcome": "success", @@ -7627,7 +7613,6 @@ "network" ], "code": "020703406001", - "ingested": "2022-01-25T18:09:20.135385203Z", "kind": "alert", "original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "outcome": "success", @@ -7717,7 +7702,6 @@ "network" ], "code": "020704406002", - "ingested": "2022-01-25T18:09:20.135386347Z", "kind": "alert", "original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "outcome": "success", @@ -7798,7 +7782,6 @@ "network" ], "code": "138301618041", - "ingested": "2022-01-25T18:09:20.135387476Z", "kind": "event", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "outcome": "success", @@ -7860,7 +7843,6 @@ "network" ], "code": "138302218042", - "ingested": "2022-01-25T18:09:20.135388569Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "outcome": "success", @@ -7938,7 +7920,6 @@ "network" ], "code": "136501618041", - "ingested": "2022-01-25T18:09:20.135389689Z", "kind": "event", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "outcome": "success", @@ -7999,7 +7980,6 @@ "network" ], "code": "136528618043", - "ingested": "2022-01-25T18:09:20.135390788Z", "kind": "event", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "outcome": "success", @@ -8081,7 +8061,6 @@ "network" ], "code": "136502218042", - "ingested": "2022-01-25T18:09:20.135392013Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "outcome": "success", @@ -8163,7 +8142,6 @@ "network" ], "code": "136502218042", - "ingested": "2022-01-25T18:09:20.135393808Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=175.16.199.1 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "outcome": "success", @@ -8256,7 +8234,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135395008Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "severity": 6, @@ -8369,7 +8346,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135396148Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "severity": 6, @@ -8471,7 +8447,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135397387Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "outcome": "success", @@ -8569,7 +8544,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135398505Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "outcome": "success", @@ -8682,7 +8656,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135399612Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "outcome": "success", @@ -8770,7 +8743,6 @@ }, "event": { "code": "106025618011", - "ingested": "2022-01-25T18:09:20.135400694Z", "kind": "event", "original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", "outcome": "success", @@ -8818,7 +8790,6 @@ }, "event": { "code": "106025618011", - "ingested": "2022-01-25T18:09:20.135402087Z", "kind": "event", "original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", "outcome": "success", @@ -8863,7 +8834,7 @@ "@timestamp": "2021-02-11T13:12:45.000Z", "client": { "bytes": 0, - "ip": "1.128.3.4", + "ip": "89.160.20.156", "mac": "11:22:33:44:55:66", "nat": { "port": 0 @@ -8908,9 +8879,8 @@ "code": "010101600001", "duration": 0, "end": "2021-02-11T13:12:45.000Z", - "ingested": "2022-01-25T18:09:20.135403179Z", "kind": "event", - "original": "device=\"SFW\" date=2021-02-11 time=13:12:45 timezone=\"CET\" device_name=\"XG210\" device_id=dem-dev log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2.109\" in_display_interface=\"CD21-IPs_WAN\" out_interface=\"Port5.200\" out_display_interface=\"Port5\" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.128.3.4 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol=\"TCP\" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype=\"WAN\" srczone=\"WAN\" dstzonetype=\"DMZ\" dstzone=\"Zone 9\" dir_disp=\"\" connevent=\"Start\" connid=\"3933925696\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "device=\"SFW\" date=2021-02-11 time=13:12:45 timezone=\"CET\" device_name=\"XG210\" device_id=dem-dev log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2.109\" in_display_interface=\"CD21-IPs_WAN\" out_interface=\"Port5.200\" out_display_interface=\"Port5\" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=89.160.20.156 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol=\"TCP\" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype=\"WAN\" srczone=\"WAN\" dstzonetype=\"DMZ\" dstzone=\"Zone 9\" dir_disp=\"\" connevent=\"Start\" connid=\"3933925696\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2021-02-11T13:12:45.000Z", @@ -8928,7 +8898,6 @@ }, "network": { "bytes": 0, - "direction": "inbound", "packets": 0, "transport": "tcp" }, @@ -8937,7 +8906,7 @@ "interface": { "name": "Port5.200" }, - "zone": "DMZ" + "zone": "Zone 9" }, "ingress": { "interface": { @@ -8955,7 +8924,7 @@ "defaulttest.local" ], "ip": [ - "1.128.3.4", + "89.160.20.156", "175.16.199.1", "216.160.83.57", "216.160.83.61" @@ -9001,25 +8970,25 @@ }, "source": { "as": { - "number": 1221, + "number": 29518, "organization": { - "name": "Telstra Pty Ltd" + "name": "Bredband2 AB" } }, "bytes": 0, "geo": { - "city_name": "Milton", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lat": 47.2513, - "lon": -122.3149 + "lat": 58.4167, + "lon": 15.6167 }, - "region_iso_code": "US-WA", - "region_name": "Washington" + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "ip": "1.128.3.4", + "ip": "89.160.20.156", "mac": "11:22:33:44:55:66", "nat": { "ip": "216.160.83.57", @@ -9065,7 +9034,6 @@ "code": "010101600001", "duration": 0, "end": "2020-06-05T03:45:23.000Z", - "ingested": "2022-01-25T18:09:20.135404310Z", "kind": "event", "original": "device=\"SFW\" date=2020-06-05 time=03:45:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name=\"\" user_gp=\"\" iap=13 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2\" in_display_interface=\"Port2\" out_interface=\"Port1\" out_display_interface=\"Port1\" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2674291981\" vconnid=\"\" hb_health=\"No Heartbeat\"message=\"\" appresolvedby=\"Signature\" app_is_cloud=0 log_occurrence=1", "outcome": "success", diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log index 0d16167e4f8..d408bbe958f 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log @@ -1,50 +1,50 @@ Nov 16 00:28:48 sophos device_name="SFW" timestamp="2021-11-15T18:28:48-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" app_filter_policy_id=6 app_name="Torrent Clients P2P" app_risk=5 app_technology="P2P" app_category="P2P" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="UDP" src_port=44740 dst_port=22083 app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" -Nov 16 00:28:51 sophos device_name="SFW" timestamp="2021-11-15T18:28:51-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain="hls14.asiancdn.net" http_status="0" con_id=173026752 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:28:57 sophos device_name="SFW" timestamp="2021-11-15T18:28:57-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain="hls14.asiancdn.net" http_status="0" con_id=2694936768 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:03 sophos device_name="SFW" timestamp="2021-11-15T18:29:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain="hls14.asiancdn.net" http_status="0" con_id=2564230592 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:06 sophos device_name="SFW" timestamp="2021-11-15T18:29:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="18.179.124.174" protocol="TCP" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=2617088192 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" -Nov 16 00:29:07 sophos device_name="SFW" timestamp="2021-11-15T18:29:07-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://array611.prod.do.dsp.mp.microsoft.com" src_ip="192.168.2.110" dst_ip="20.54.24.79" protocol="TCP" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain="array611.prod.do.dsp.mp.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2916030976 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="IRL" -Nov 16 00:29:11 sophos device_name="SFW" timestamp="2021-11-15T18:29:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain="hls14.asiancdn.net" http_status="0" con_id=2564227072 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:16 sophos device_name="SFW" timestamp="2021-11-15T18:29:16-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet&bodyId=tsn%3A846001190AE52F2" content_type="application/json" src_ip="192.168.2.131" dst_ip="208.73.181.98" protocol="TCP" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain="208.73.181.98" http_user_agent="TvHttpClient" http_status="200" con_id=3159010752 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:20 sophos device_name="SFW" timestamp="2021-11-15T18:29:20-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Chat" http_category_type="Unproductive" url="https://mtalk.google.com" src_ip="192.168.2.162" dst_ip="142.250.113.188" protocol="TCP" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain="mtalk.google.com" http_status="0" con_id=172826048 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:21 sophos device_name="SFW" timestamp="2021-11-15T18:29:21-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://204.176.49.2/tivo-service/mercury.cgi" content_type="text/plain" src_ip="192.168.2.131" dst_ip="204.176.49.2" protocol="TCP" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain="204.176.49.2" http_status="200" con_id=175812032 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:22 sophos device_name="SFW" timestamp="2021-11-15T18:29:22-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://208.73.181.202/tivo-service/mlog.cgi?gzip" content_type="text/plain" src_ip="192.168.2.131" dst_ip="208.73.181.202" protocol="TCP" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain="208.73.181.202" http_status="200" con_id=175808832 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:22 sophos device_name="SFW" timestamp="2021-11-15T18:29:22-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain="hls14.asiancdn.net" http_status="0" con_id=2719000448 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:23 sophos device_name="SFW" timestamp="2021-11-15T18:29:23-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Information Technology" http_category_type="Acceptable" url="https://alive.github.com" src_ip="192.168.2.41" dst_ip="140.82.113.26" protocol="TCP" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain="alive.github.com" http_status="0" con_id=2721561088 app_name="GitHub" app_is_cloud="TRUE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" app_risk=1 app_category="Storage and Backup" +Nov 16 00:28:51 sophos device_name="SFW" timestamp="2021-11-15T18:28:51-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain="hls14.asiancdn.net" http_status="0" con_id=173026752 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:28:57 sophos device_name="SFW" timestamp="2021-11-15T18:28:57-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain="hls14.asiancdn.net" http_status="0" con_id=2694936768 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:03 sophos device_name="SFW" timestamp="2021-11-15T18:29:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain="hls14.asiancdn.net" http_status="0" con_id=2564230592 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:06 sophos device_name="SFW" timestamp="2021-11-15T18:29:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="89.160.20.156" protocol="TCP" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=2617088192 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:29:07 sophos device_name="SFW" timestamp="2021-11-15T18:29:07-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://array611.prod.do.dsp.mp.microsoft.com" src_ip="192.168.2.110" dst_ip="89.160.20.156" protocol="TCP" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain="array611.prod.do.dsp.mp.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2916030976 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="IRL" +Nov 16 00:29:11 sophos device_name="SFW" timestamp="2021-11-15T18:29:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain="hls14.asiancdn.net" http_status="0" con_id=2564227072 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:16 sophos device_name="SFW" timestamp="2021-11-15T18:29:16-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet&bodyId=tsn%3A846001190AE52F2" content_type="application/json" src_ip="192.168.2.131" dst_ip="89.160.20.156" protocol="TCP" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain="89.160.20.156" http_user_agent="TvHttpClient" http_status="200" con_id=3159010752 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:20 sophos device_name="SFW" timestamp="2021-11-15T18:29:20-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Chat" http_category_type="Unproductive" url="https://mtalk.google.com" src_ip="192.168.2.162" dst_ip="89.160.20.156" protocol="TCP" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain="mtalk.google.com" http_status="0" con_id=172826048 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:21 sophos device_name="SFW" timestamp="2021-11-15T18:29:21-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://89.160.20.156/tivo-service/mercury.cgi" content_type="text/plain" src_ip="192.168.2.131" dst_ip="89.160.20.156" protocol="TCP" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain="89.160.20.156" http_status="200" con_id=175812032 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:22 sophos device_name="SFW" timestamp="2021-11-15T18:29:22-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://89.160.20.156/tivo-service/mlog.cgi?gzip" content_type="text/plain" src_ip="192.168.2.131" dst_ip="89.160.20.156" protocol="TCP" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain="89.160.20.156" http_status="200" con_id=175808832 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:22 sophos device_name="SFW" timestamp="2021-11-15T18:29:22-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain="hls14.asiancdn.net" http_status="0" con_id=2719000448 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:23 sophos device_name="SFW" timestamp="2021-11-15T18:29:23-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Information Technology" http_category_type="Acceptable" url="https://alive.github.com" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain="alive.github.com" http_status="0" con_id=2721561088 app_name="GitHub" app_is_cloud="TRUE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" app_risk=1 app_category="Storage and Backup" Nov 16 00:29:26 sophos device_name="SFW" timestamp="2021-11-15T18:29:26-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" web_policy_id=4 http_category="IPAddress" http_category_type="Acceptable" url="https://192.168.2.90" src_ip="192.168.3.36" dst_ip="192.168.2.90" protocol="TCP" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain="192.168.2.90" http_status="0" con_id=175809792 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" src_country="R1" dst_country="R1" -Nov 16 00:29:28 sophos device_name="SFW" timestamp="2021-11-15T18:29:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Information Technology" http_category_type="Acceptable" url="https://tpcf.feedify.net" src_ip="192.168.2.41" dst_ip="205.185.216.10" protocol="TCP" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain="tpcf.feedify.net" http_status="0" con_id=2685143552 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:28 sophos device_name="SFW" timestamp="2021-11-15T18:29:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain="hls14.asiancdn.net" http_status="0" con_id=173140160 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:32 sophos device_name="SFW" timestamp="2021-11-15T18:29:32-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="https://logsink.devices.nest.com" src_ip="192.168.2.109" dst_ip="35.190.54.210" protocol="TCP" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain="logsink.devices.nest.com" http_status="0" con_id=3159009472 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:33 sophos device_name="SFW" timestamp="2021-11-15T18:29:33-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" app_filter_policy_id=6 app_name="Torrent Clients P2P" app_risk=5 app_technology="P2P" app_category="P2P" src_ip="192.168.2.32" src_country="R1" dst_ip="23.111.157.86" dst_country="USA" protocol="UDP" src_port=44740 dst_port=4000 app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" -Nov 16 00:29:36 sophos device_name="SFW" timestamp="2021-11-15T18:29:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="54.249.34.55" protocol="TCP" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=3729897664 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" -Nov 16 00:29:39 sophos device_name="SFW" timestamp="2021-11-15T18:29:39-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://api.smartthings.com" src_ip="192.168.2.102" dst_ip="3.21.120.95" protocol="TCP" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain="api.smartthings.com" http_status="0" con_id=3729897984 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="http://connectivitycheck.gstatic.com/generate_204" src_ip="192.168.2.105" dst_ip="142.250.114.94" protocol="TCP" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain="connectivitycheck.gstatic.com" http_user_agent="Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094" http_status="204" con_id=407760320 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="http://connectivitycheck.gstatic.com/generate_204" src_ip="192.168.2.123" dst_ip="142.250.191.227" protocol="TCP" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain="connectivitycheck.gstatic.com" http_user_agent="Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000" http_status="204" con_id=3019156928 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Business Networking" http_category_type="Acceptable" url="https://realtime.www.linkedin.com" src_ip="192.168.2.41" dst_ip="13.107.42.14" protocol="TCP" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain="realtime.www.linkedin.com" http_status="0" con_id=172822528 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:42 sophos device_name="SFW" timestamp="2021-11-15T18:29:42-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="8" web_policy_id=4 http_category="Information Technology" http_category_type="Acceptable" url="http://checkip.dyndns.org/" content_type="text/html" src_ip="192.168.3.36" dst_ip="132.226.247.73" protocol="TCP" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain="checkip.dyndns.org" http_user_agent="ddclient/3.9.1" http_status="200" con_id=154693632 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="BRA" -Nov 16 00:29:43 sophos device_name="SFW" timestamp="2021-11-15T18:29:43-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain="hls14.asiancdn.net" http_status="0" con_id=407384704 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:43 sophos device_name="SFW" timestamp="2021-11-15T18:29:43-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Shopping" http_category_type="Unproductive" url="https://device-metrics-us-2.amazon.com" src_ip="192.168.2.106" dst_ip="54.157.203.98" protocol="TCP" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain="device-metrics-us-2.amazon.com" http_status="0" con_id=3019356672 app_name="Amazon Shopping" app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" app_risk=2 app_category="General Internet" -Nov 16 00:29:44 sophos device_name="SFW" timestamp="2021-11-15T18:29:44-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://settings-win.data.microsoft.com" src_ip="192.168.2.32" dst_ip="52.183.220.149" protocol="TCP" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain="settings-win.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=3159007232 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:29:47 sophos device_name="SFW" timestamp="2021-11-15T18:29:47-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://clientservices.googleapis.com" src_ip="192.168.2.156" dst_ip="142.251.40.67" protocol="TCP" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain="clientservices.googleapis.com" http_status="0" con_id=2432150656 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:28 sophos device_name="SFW" timestamp="2021-11-15T18:29:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Information Technology" http_category_type="Acceptable" url="https://tpcf.feedify.net" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain="tpcf.feedify.net" http_status="0" con_id=2685143552 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:28 sophos device_name="SFW" timestamp="2021-11-15T18:29:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain="hls14.asiancdn.net" http_status="0" con_id=173140160 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:32 sophos device_name="SFW" timestamp="2021-11-15T18:29:32-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="https://logsink.devices.nest.com" src_ip="192.168.2.109" dst_ip="89.160.20.156" protocol="TCP" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain="logsink.devices.nest.com" http_status="0" con_id=3159009472 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:33 sophos device_name="SFW" timestamp="2021-11-15T18:29:33-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" app_filter_policy_id=6 app_name="Torrent Clients P2P" app_risk=5 app_technology="P2P" app_category="P2P" src_ip="192.168.2.32" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=44740 dst_port=4000 app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" +Nov 16 00:29:36 sophos device_name="SFW" timestamp="2021-11-15T18:29:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="89.160.20.156" protocol="TCP" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=3729897664 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:29:39 sophos device_name="SFW" timestamp="2021-11-15T18:29:39-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://api.smartthings.com" src_ip="192.168.2.102" dst_ip="89.160.20.156" protocol="TCP" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain="api.smartthings.com" http_status="0" con_id=3729897984 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="http://connectivitycheck.gstatic.com/generate_204" src_ip="192.168.2.105" dst_ip="89.160.20.156" protocol="TCP" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain="connectivitycheck.gstatic.com" http_user_agent="Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094" http_status="204" con_id=407760320 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="http://connectivitycheck.gstatic.com/generate_204" src_ip="192.168.2.123" dst_ip="89.160.20.156" protocol="TCP" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain="connectivitycheck.gstatic.com" http_user_agent="Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000" http_status="204" con_id=3019156928 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Business Networking" http_category_type="Acceptable" url="https://realtime.www.linkedin.com" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain="realtime.www.linkedin.com" http_status="0" con_id=172822528 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:42 sophos device_name="SFW" timestamp="2021-11-15T18:29:42-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="8" web_policy_id=4 http_category="Information Technology" http_category_type="Acceptable" url="http://checkip.dyndns.org/" content_type="text/html" src_ip="192.168.3.36" dst_ip="89.160.20.156" protocol="TCP" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain="checkip.dyndns.org" http_user_agent="ddclient/3.9.1" http_status="200" con_id=154693632 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="BRA" +Nov 16 00:29:43 sophos device_name="SFW" timestamp="2021-11-15T18:29:43-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain="hls14.asiancdn.net" http_status="0" con_id=407384704 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:43 sophos device_name="SFW" timestamp="2021-11-15T18:29:43-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Shopping" http_category_type="Unproductive" url="https://device-metrics-us-2.amazon.com" src_ip="192.168.2.106" dst_ip="89.160.20.156" protocol="TCP" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain="device-metrics-us-2.amazon.com" http_status="0" con_id=3019356672 app_name="Amazon Shopping" app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" app_risk=2 app_category="General Internet" +Nov 16 00:29:44 sophos device_name="SFW" timestamp="2021-11-15T18:29:44-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://settings-win.data.microsoft.com" src_ip="192.168.2.32" dst_ip="89.160.20.156" protocol="TCP" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain="settings-win.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=3159007232 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:47 sophos device_name="SFW" timestamp="2021-11-15T18:29:47-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://clientservices.googleapis.com" src_ip="192.168.2.156" dst_ip="89.160.20.156" protocol="TCP" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain="clientservices.googleapis.com" http_status="0" con_id=2432150656 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" Nov 16 00:29:47 sophos device_name="SFW" timestamp="2021-11-15T18:29:47-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" web_policy_id=4 http_category="IPAddress" http_category_type="Acceptable" url="https://192.168.2.90" src_ip="192.168.3.36" dst_ip="192.168.2.90" protocol="TCP" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain="192.168.2.90" http_status="0" con_id=2721559808 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" src_country="R1" dst_country="R1" -Nov 16 00:29:56 sophos device_name="SFW" timestamp="2021-11-15T18:29:56-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Entertainment" http_category_type="Unproductive" url="https://api.thetake.com" src_ip="192.168.2.143" dst_ip="104.22.76.177" protocol="TCP" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain="api.thetake.com" http_status="0" con_id=2685144512 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" -Nov 16 00:29:57 sophos device_name="SFW" timestamp="2021-11-15T18:29:57-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://tools.google.com" src_ip="192.168.2.105" dst_ip="142.251.32.174" protocol="TCP" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain="tools.google.com" http_status="0" con_id=151870592 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:00 sophos device_name="SFW" timestamp="2021-11-15T18:30:00-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain="hls14.asiancdn.net" http_status="0" con_id=3019355392 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:01 sophos device_name="SFW" timestamp="2021-11-15T18:30:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://edge.microsoft.com" src_ip="192.168.2.107" dst_ip="204.79.197.219" protocol="TCP" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain="edge.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2689611008 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:02 sophos device_name="SFW" timestamp="2021-11-15T18:30:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Search Engines" http_category_type="Acceptable" url="https://clients4.google.com" src_ip="192.168.2.139" dst_ip="142.251.45.78" protocol="TCP" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain="clients4.google.com" http_status="0" con_id=2432148096 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:03 sophos device_name="SFW" timestamp="2021-11-15T18:30:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://settings-win.data.microsoft.com" src_ip="192.168.2.107" dst_ip="52.183.220.149" protocol="TCP" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain="settings-win.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=173138560 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:06 sophos device_name="SFW" timestamp="2021-11-15T18:30:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="54.249.34.55" protocol="TCP" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=2841967104 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" -Nov 16 00:30:11 sophos device_name="SFW" timestamp="2021-11-15T18:30:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Games" http_category_type="Unproductive" url="https://catalog.gamepass.com" src_ip="192.168.2.110" dst_ip="23.218.232.189" protocol="TCP" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain="catalog.gamepass.com" http_status="0" con_id=2685088704 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:16 sophos device_name="SFW" timestamp="2021-11-15T18:30:16-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Search Engines" http_category_type="Acceptable" url="https://clients4.google.com" src_ip="192.168.2.105" dst_ip="142.251.45.78" protocol="TCP" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain="clients4.google.com" http_status="0" con_id=3017219520 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://www.googleapis.com" src_ip="192.168.2.126" dst_ip="142.251.32.170" protocol="TCP" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain="www.googleapis.com" http_status="0" con_id=154695872 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://play.googleapis.com" src_ip="192.168.2.126" dst_ip="172.217.14.170" protocol="TCP" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain="play.googleapis.com" http_status="0" con_id=2169324160 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://android.googleapis.com" src_ip="192.168.2.126" dst_ip="142.251.45.74" protocol="TCP" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain="android.googleapis.com" http_status="0" con_id=173141120 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:27 sophos device_name="SFW" timestamp="2021-11-15T18:30:27-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Chat" http_category_type="Unproductive" url="https://discord.com" src_ip="192.168.2.156" dst_ip="162.159.136.232" protocol="TCP" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain="discord.com" http_status="0" con_id=3732575808 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" -Nov 16 00:30:28 sophos device_name="SFW" timestamp="2021-11-15T18:30:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet&bodyId=tsn%3A846001190AE52F2" content_type="application/json" src_ip="192.168.2.131" dst_ip="208.73.181.98" protocol="TCP" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain="208.73.181.98" http_user_agent="TvHttpClient" http_status="200" con_id=999028608 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:28 sophos device_name="SFW" timestamp="2021-11-15T18:30:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="General Business" http_category_type="Acceptable" url="https://backend-ssp.adstudio.cloud" src_ip="192.168.2.41" dst_ip="8.2.110.235" protocol="TCP" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain="backend-ssp.adstudio.cloud" http_status="0" con_id=175214016 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:30 sophos device_name="SFW" timestamp="2021-11-15T18:30:30-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://android.googleapis.com" src_ip="192.168.2.126" dst_ip="142.251.45.74" protocol="TCP" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain="android.googleapis.com" http_status="0" con_id=3732577728 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:30 sophos device_name="SFW" timestamp="2021-11-15T18:30:30-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="45.57.227.202" protocol="TCP" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain="hls14.asiancdn.net" http_status="0" con_id=173138880 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:33 sophos device_name="SFW" timestamp="2021-11-15T18:30:33-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://vortex.data.microsoft.com" src_ip="192.168.2.119" dst_ip="64.4.54.254" protocol="TCP" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain="vortex.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2564229952 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:36 sophos device_name="SFW" timestamp="2021-11-15T18:30:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="35.74.7.193" protocol="TCP" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=3159008512 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" -Nov 16 00:30:36 sophos device_name="SFW" timestamp="2021-11-15T18:30:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Advertisements" http_category_type="Unproductive" url="https://us-trc-events.taboola.com" src_ip="192.168.2.41" dst_ip="141.226.224.48" protocol="TCP" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain="us-trc-events.taboola.com" http_status="0" con_id=999027328 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" -Nov 16 00:30:38 sophos device_name="SFW" timestamp="2021-11-15T18:30:38-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://deviceintegritytokens-pa.googleapis.com" src_ip="192.168.2.126" dst_ip="142.251.32.138" protocol="TCP" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain="deviceintegritytokens-pa.googleapis.com" http_status="0" con_id=408293376 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:56 sophos device_name="SFW" timestamp="2021-11-15T18:29:56-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Entertainment" http_category_type="Unproductive" url="https://api.thetake.com" src_ip="192.168.2.143" dst_ip="89.160.20.156" protocol="TCP" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain="api.thetake.com" http_status="0" con_id=2685144512 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" +Nov 16 00:29:57 sophos device_name="SFW" timestamp="2021-11-15T18:29:57-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://tools.google.com" src_ip="192.168.2.105" dst_ip="89.160.20.156" protocol="TCP" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain="tools.google.com" http_status="0" con_id=151870592 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:00 sophos device_name="SFW" timestamp="2021-11-15T18:30:00-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain="hls14.asiancdn.net" http_status="0" con_id=3019355392 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:01 sophos device_name="SFW" timestamp="2021-11-15T18:30:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://edge.microsoft.com" src_ip="192.168.2.107" dst_ip="89.160.20.156" protocol="TCP" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain="edge.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2689611008 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:02 sophos device_name="SFW" timestamp="2021-11-15T18:30:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Search Engines" http_category_type="Acceptable" url="https://clients4.google.com" src_ip="192.168.2.139" dst_ip="89.160.20.156" protocol="TCP" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain="clients4.google.com" http_status="0" con_id=2432148096 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:03 sophos device_name="SFW" timestamp="2021-11-15T18:30:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://settings-win.data.microsoft.com" src_ip="192.168.2.107" dst_ip="89.160.20.156" protocol="TCP" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain="settings-win.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=173138560 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:06 sophos device_name="SFW" timestamp="2021-11-15T18:30:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="89.160.20.156" protocol="TCP" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=2841967104 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:30:11 sophos device_name="SFW" timestamp="2021-11-15T18:30:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Games" http_category_type="Unproductive" url="https://catalog.gamepass.com" src_ip="192.168.2.110" dst_ip="89.160.20.156" protocol="TCP" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain="catalog.gamepass.com" http_status="0" con_id=2685088704 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:16 sophos device_name="SFW" timestamp="2021-11-15T18:30:16-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Search Engines" http_category_type="Acceptable" url="https://clients4.google.com" src_ip="192.168.2.105" dst_ip="89.160.20.156" protocol="TCP" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain="clients4.google.com" http_status="0" con_id=3017219520 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://www.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain="www.googleapis.com" http_status="0" con_id=154695872 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://play.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain="play.googleapis.com" http_status="0" con_id=2169324160 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://android.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain="android.googleapis.com" http_status="0" con_id=173141120 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:27 sophos device_name="SFW" timestamp="2021-11-15T18:30:27-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Chat" http_category_type="Unproductive" url="https://discord.com" src_ip="192.168.2.156" dst_ip="89.160.20.156" protocol="TCP" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain="discord.com" http_status="0" con_id=3732575808 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" +Nov 16 00:30:28 sophos device_name="SFW" timestamp="2021-11-15T18:30:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet&bodyId=tsn%3A846001190AE52F2" content_type="application/json" src_ip="192.168.2.131" dst_ip="89.160.20.156" protocol="TCP" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain="89.160.20.156" http_user_agent="TvHttpClient" http_status="200" con_id=999028608 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:28 sophos device_name="SFW" timestamp="2021-11-15T18:30:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="General Business" http_category_type="Acceptable" url="https://backend-ssp.adstudio.cloud" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain="backend-ssp.adstudio.cloud" http_status="0" con_id=175214016 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:30 sophos device_name="SFW" timestamp="2021-11-15T18:30:30-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://android.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain="android.googleapis.com" http_status="0" con_id=3732577728 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:30 sophos device_name="SFW" timestamp="2021-11-15T18:30:30-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain="hls14.asiancdn.net" http_status="0" con_id=173138880 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:33 sophos device_name="SFW" timestamp="2021-11-15T18:30:33-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://vortex.data.microsoft.com" src_ip="192.168.2.119" dst_ip="89.160.20.156" protocol="TCP" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain="vortex.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2564229952 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:36 sophos device_name="SFW" timestamp="2021-11-15T18:30:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="89.160.20.156" protocol="TCP" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=3159008512 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:30:36 sophos device_name="SFW" timestamp="2021-11-15T18:30:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Advertisements" http_category_type="Unproductive" url="https://us-trc-events.taboola.com" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain="us-trc-events.taboola.com" http_status="0" con_id=999027328 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:38 sophos device_name="SFW" timestamp="2021-11-15T18:30:38-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://deviceintegritytokens-pa.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain="deviceintegritytokens-pa.googleapis.com" http_status="0" con_id=408293376 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json index 049f927da81..f5e1ab29b27 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json @@ -1,24 +1,41 @@ { "expected": [ { - "server": { - "port": 22083, - "ip": "192.168.1.15" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:28:48.000Z", + "client": { + "ip": "192.168.2.32", + "port": 44740 }, "destination": { - "port": 22083, - "ip": "192.168.1.15" + "ip": "192.168.1.15", + "port": 22083 }, - "source": { - "port": 44740, - "ip": "192.168.2.32" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "malware", + "network" + ], + "code": "054402617051", + "kind": "alert", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:48-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"UDP\" src_port=44740 dst_port=22083 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", + "outcome": "success", + "severity": 6, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "udp" }, @@ -29,10 +46,6 @@ "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T00:28:48.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" @@ -42,118 +55,107 @@ "192.168.1.15" ] }, + "server": { + "ip": "192.168.1.15", + "port": 22083 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "Application", - "device_model": "SFVH", - "log_subtype": "Denied", - "message_id": "17051", + "app_category": "P2P", + "app_filter_policy_id": "6", "app_is_cloud": "FALSE", - "app_technology": "P2P", "app_name": "Torrent Clients P2P", + "app_resolved_by": "Signature", + "app_risk": "5", + "app_technology": "P2P", + "device_model": "SFVH", "device_name": "SFW", + "fw_rule_id": "12", + "log_component": "Application", + "log_subtype": "Denied", "log_type": "Content Filtering", - "app_risk": "5", - "app_resolved_by": "Signature", - "qualifier": "New", - "app_category": "P2P", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "17051", + "qualifier": "New" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 44740, - "ip": "192.168.2.32" + "source": { + "ip": "192.168.2.32", + "port": 44740 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192951025Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:48-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"UDP\" src_port=44740 dst_port=22083 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", - "code": "054402617051", - "kind": "alert", - "action": "denied", - "category": [ - "malware", - "network" - ], - "type": [ - "info", - "denied", - "connection" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "bytes": 2856085, - "ip": "45.57.227.202" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:28:51.000Z", + "client": { + "bytes": 19591, + "ip": "192.168.2.111", + "port": 50931 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, "as": { - "number": 55286, + "number": 29518, "organization": { - "name": "B2 Net Solutions Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2856085, - "ip": "45.57.227.202" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 50931, - "bytes": 19591, - "ip": "192.168.2.111" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:51-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173026752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:28:51.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -161,118 +163,117 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 2856085, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "173026752", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "173026752", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50931, + "source": { "bytes": 19591, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50931 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192955721Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:51-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173026752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 1708430, - "ip": "45.57.227.202" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:28:57.000Z", + "client": { + "bytes": 12138, + "ip": "192.168.2.111", + "port": 50932 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, "as": { - "number": 55286, + "number": 29518, "organization": { - "name": "B2 Net Solutions Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 1708430, - "ip": "45.57.227.202" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 50932, - "bytes": 12138, - "ip": "192.168.2.111" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2694936768 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:28:57.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -280,118 +281,117 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 1708430, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2694936768", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2694936768", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50932, + "source": { "bytes": 12138, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50932 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192957824Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2694936768 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 2608205, - "ip": "45.57.227.202" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:03.000Z", + "client": { + "bytes": 15419, + "ip": "192.168.2.111", + "port": 50933 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, "as": { - "number": 55286, + "number": 29518, "organization": { - "name": "B2 Net Solutions Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2608205, - "ip": "45.57.227.202" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 50933, - "bytes": 15419, - "ip": "192.168.2.111" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564230592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -399,118 +399,122 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 2608205, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2564230592", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2564230592", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50933, + "source": { "bytes": 15419, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50933 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192959732Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564230592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 80, - "bytes": 249, - "ip": "18.179.124.174" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:06.000Z", + "client": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 54640 }, "destination": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "JP-13", - "city_name": "Tokyo", - "country_iso_code": "JP", - "country_name": "Japan", - "region_name": "Tokyo", - "location": { - "lon": 139.7532, - "lat": 35.6882 - } - }, "as": { - "number": 16509, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "port": 80, "bytes": 249, - "ip": "18.179.124.174" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 }, - "source": { - "port": 54640, - "bytes": 77, - "ip": "192.168.2.112" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "/api/v1/connect-test", - "original": "http://info.cspserver.net/api/v1/connect-test", - "scheme": "http", - "domain": "info.cspserver.net", - "full": "http://info.cspserver.net/api/v1/connect-test" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2617088192 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:06.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -518,115 +522,118 @@ ], "ip": [ "192.168.2.112", - "18.179.124.174" + "89.160.20.156" ] }, + "server": { + "bytes": 249, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2617088192", + "content_type": "application/octet-stream", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2617088192", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "application/octet-stream", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "General Business", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 54640 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "path": "/api/v1/connect-test", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:07.000Z", "client": { - "port": 54640, - "bytes": 77, - "ip": "192.168.2.112" + "bytes": 2128, + "ip": "192.168.2.110", + "port": 53392 }, - "http": { - "response": { - "status_code": 200 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 3511, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192961611Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"18.179.124.174\" protocol=\"TCP\" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2617088192 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://array611.prod.do.dsp.mp.microsoft.com\" src_ip=\"192.168.2.110\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain=\"array611.prod.do.dsp.mp.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2916030976 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"IRL\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 3511, - "ip": "20.54.24.79" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "port": 443, - "bytes": 3511, - "ip": "20.54.24.79" - }, - "source": { - "port": 53392, - "bytes": 2128, - "ip": "192.168.2.110" - }, - "url": { - "path": "", - "original": "https://array611.prod.do.dsp.mp.microsoft.com", - "scheme": "https", - "domain": "array611.prod.do.dsp.mp.microsoft.com", - "full": "https://array611.prod.do.dsp.mp.microsoft.com" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:07.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -634,119 +641,118 @@ ], "ip": [ "192.168.2.110", - "20.54.24.79" + "89.160.20.156" ] }, + "server": { + "bytes": 3511, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_is_cloud": "FALSE", "con_id": "2916030976", - "message_id": "16001", + "device_model": "SFVH", + "device_name": "SFW", "exceptions": "av,https,validation,policy,zero-day protection", - "app_is_cloud": "FALSE", + "fw_rule_id": "12", + "http_category": "Information Technology", "http_category_type": "Acceptable", - "device_name": "SFW", + "log_component": "HTTP", + "log_subtype": "Allowed", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 53392, + "source": { "bytes": 2128, - "ip": "192.168.2.110" + "ip": "192.168.2.110", + "port": 53392 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192963560Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://array611.prod.do.dsp.mp.microsoft.com\" src_ip=\"192.168.2.110\" dst_ip=\"20.54.24.79\" protocol=\"TCP\" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain=\"array611.prod.do.dsp.mp.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2916030976 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"IRL\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "array611.prod.do.dsp.mp.microsoft.com", + "full": "https://array611.prod.do.dsp.mp.microsoft.com", + "original": "https://array611.prod.do.dsp.mp.microsoft.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 2569044, - "ip": "45.57.227.202" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:11.000Z", + "client": { + "bytes": 16674, + "ip": "192.168.2.111", + "port": 50934 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, "as": { - "number": 55286, + "number": 29518, "organization": { - "name": "B2 Net Solutions Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2569044, - "ip": "45.57.227.202" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 50934, - "bytes": 16674, - "ip": "192.168.2.111" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564227072 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:11.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -754,117 +760,122 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 2569044, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2564227072", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2564227072", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50934, + "source": { "bytes": 16674, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50934 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192965421Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564227072 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 8089, - "bytes": 307, - "ip": "208.73.181.98" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:16.000Z", + "client": { + "bytes": 260, + "ip": "192.168.2.131", + "port": 40230 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 10982, + "number": 29518, "organization": { - "name": "TiVo, Inc." + "name": "Bredband2 AB" } }, - "port": 8089, "bytes": 307, - "ip": "208.73.181.98" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 8089 }, - "source": { - "port": 40230, - "bytes": 260, - "ip": "192.168.2.131" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "/mind/mind42", - "original": "http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", - "scheme": "http", - "port": 8089, - "domain": "208.73.181.98", - "query": "type=myWanIpAddressGet\u0026bodyId=tsn:846001190AE52F2", - "full": "http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"89.160.20.156\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=3159010752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:16.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -872,121 +883,120 @@ ], "ip": [ "192.168.2.131", - "208.73.181.98" + "89.160.20.156" ] }, + "server": { + "bytes": 307, + "ip": "89.160.20.156", + "port": 8089 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3159010752", + "content_type": "application/json", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "IPAddress", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3159010752", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "application/json", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "IPAddress", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 40230, + "source": { "bytes": 260, - "ip": "192.168.2.131" - }, - "http": { - "response": { - "status_code": 200 - } + "ip": "192.168.2.131", + "port": 40230 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192967305Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"208.73.181.98\" protocol=\"TCP\" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"208.73.181.98\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=3159010752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.156", + "full": "http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "original": "http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "path": "/mind/mind42", + "port": 8089, + "query": "type=myWanIpAddressGet\u0026bodyId=tsn:846001190AE52F2", + "scheme": "http" } }, { - "server": { - "port": 443, - "bytes": 33728, - "ip": "142.250.113.188" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:20.000Z", + "client": { + "bytes": 13804, + "ip": "192.168.2.162", + "port": 53421 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 33728, - "ip": "142.250.113.188" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 53421, - "bytes": 13804, - "ip": "192.168.2.162" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://mtalk.google.com", - "scheme": "https", - "domain": "mtalk.google.com", - "full": "https://mtalk.google.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:20-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://mtalk.google.com\" src_ip=\"192.168.2.162\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain=\"mtalk.google.com\" http_status=\"0\" con_id=172826048 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:20.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -994,119 +1004,122 @@ ], "ip": [ "192.168.2.162", - "142.250.113.188" + "89.160.20.156" ] }, + "server": { + "bytes": 33728, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "172826048", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Online Chat", + "http_category_type": "Unproductive", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "172826048", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Unproductive", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Online Chat", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 53421, + "source": { "bytes": 13804, - "ip": "192.168.2.162" + "ip": "192.168.2.162", + "port": 53421 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192969295Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:20-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://mtalk.google.com\" src_ip=\"192.168.2.162\" dst_ip=\"142.250.113.188\" protocol=\"TCP\" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain=\"mtalk.google.com\" http_status=\"0\" con_id=172826048 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "mtalk.google.com", + "full": "https://mtalk.google.com", + "original": "https://mtalk.google.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 80, - "bytes": 136, - "ip": "204.176.49.2" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:21.000Z", + "client": { + "bytes": 240, + "ip": "192.168.2.131", + "port": 33541 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Sunnyvale", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", - "location": { - "lon": -122.0351, - "lat": 37.3479 - } - }, "as": { - "number": 10982, + "number": 29518, "organization": { - "name": "TiVo, Inc." + "name": "Bredband2 AB" } }, - "port": 80, "bytes": 136, - "ip": "204.176.49.2" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 }, - "source": { - "port": 33541, - "bytes": 240, - "ip": "192.168.2.131" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "/tivo-service/mercury.cgi", - "extension": "cgi", - "original": "http://204.176.49.2/tivo-service/mercury.cgi", - "scheme": "http", - "domain": "204.176.49.2", - "full": "http://204.176.49.2/tivo-service/mercury.cgi" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:21-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156/tivo-service/mercury.cgi\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain=\"89.160.20.156\" http_status=\"200\" con_id=175812032 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:21.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1114,123 +1127,124 @@ ], "ip": [ "192.168.2.131", - "204.176.49.2" + "89.160.20.156" ] }, + "server": { + "bytes": 136, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "175812032", + "content_type": "text/plain", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "IPAddress", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "175812032", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "text/plain", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "IPAddress", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 240, + "ip": "192.168.2.131", + "port": 33541 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.156", + "extension": "cgi", + "full": "http://89.160.20.156/tivo-service/mercury.cgi", + "original": "http://89.160.20.156/tivo-service/mercury.cgi", + "path": "/tivo-service/mercury.cgi", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:22.000Z", "client": { - "port": 33541, - "bytes": 240, - "ip": "192.168.2.131" + "bytes": 253, + "ip": "192.168.2.131", + "port": 46564 }, - "http": { - "response": { - "status_code": 200 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 123, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192980249Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:21-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://204.176.49.2/tivo-service/mercury.cgi\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"204.176.49.2\" protocol=\"TCP\" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain=\"204.176.49.2\" http_status=\"200\" con_id=175812032 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156/tivo-service/mlog.cgi?gzip\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain=\"89.160.20.156\" http_status=\"200\" con_id=175808832 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 80, - "bytes": 123, - "ip": "208.73.181.202" - }, - "log": { - "level": "Information" + ] }, - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 10982, - "organization": { - "name": "TiVo, Inc." - } - }, - "port": 80, - "bytes": 123, - "ip": "208.73.181.202" + "host": { + "name": "defaulttest.local" }, - "source": { - "port": 46564, - "bytes": 253, - "ip": "192.168.2.131" + "http": { + "response": { + "status_code": 200 + } }, - "url": { - "path": "/tivo-service/mlog.cgi", - "extension": "cgi", - "original": "http://208.73.181.202/tivo-service/mlog.cgi?gzip", - "scheme": "http", - "domain": "208.73.181.202", - "query": "gzip", - "full": "http://208.73.181.202/tivo-service/mlog.cgi?gzip" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:22.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1238,124 +1252,120 @@ ], "ip": [ "192.168.2.131", - "208.73.181.202" + "89.160.20.156" ] }, + "server": { + "bytes": 123, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "175808832", + "content_type": "text/plain", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "IPAddress", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "175808832", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "text/plain", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "IPAddress", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 253, + "ip": "192.168.2.131", + "port": 46564 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.156", + "extension": "cgi", + "full": "http://89.160.20.156/tivo-service/mlog.cgi?gzip", + "original": "http://89.160.20.156/tivo-service/mlog.cgi?gzip", + "path": "/tivo-service/mlog.cgi", + "query": "gzip", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:22.000Z", "client": { - "port": 46564, - "bytes": 253, - "ip": "192.168.2.131" + "bytes": 10131, + "ip": "192.168.2.111", + "port": 50935 }, - "http": { - "response": { - "status_code": 200 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1834077, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192982310Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://208.73.181.202/tivo-service/mlog.cgi?gzip\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"208.73.181.202\" protocol=\"TCP\" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain=\"208.73.181.202\" http_status=\"200\" con_id=175808832 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2719000448 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 1834077, - "ip": "45.57.227.202" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, - "as": { - "number": 55286, - "organization": { - "name": "B2 Net Solutions Inc." - } - }, - "port": 443, - "bytes": 1834077, - "ip": "45.57.227.202" - }, - "source": { - "port": 50935, - "bytes": 10131, - "ip": "192.168.2.111" - }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:22.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1363,115 +1373,117 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 1834077, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", - "con_id": "2719000448", - "message_id": "16001", "app_is_cloud": "FALSE", + "con_id": "2719000448", + "device_model": "SFVH", + "device_name": "SFW", + "fw_rule_id": "12", + "http_category": "Content Delivery", "http_category_type": "Acceptable", - "device_name": "SFW", + "log_component": "HTTP", + "log_subtype": "Allowed", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50935, + "source": { "bytes": 10131, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50935 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192984323Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2719000448 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 11890, - "ip": "140.82.113.26" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:23.000Z", + "client": { + "bytes": 18152, + "ip": "192.168.2.41", + "port": 20492 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 36459, + "number": 29518, "organization": { - "name": "GitHub, Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 11890, - "ip": "140.82.113.26" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 20492, - "bytes": 18152, - "ip": "192.168.2.41" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://alive.github.com", - "scheme": "https", - "domain": "alive.github.com", - "full": "https://alive.github.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://alive.github.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain=\"alive.github.com\" http_status=\"0\" con_id=2721561088 app_name=\"GitHub\" app_is_cloud=\"TRUE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=1 app_category=\"Storage and Backup\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:23.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1479,103 +1491,102 @@ ], "ip": [ "192.168.2.41", - "140.82.113.26" + "89.160.20.156" ] }, + "server": { + "bytes": 11890, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "fw_rule_id": "11", - "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "1", - "log_subtype": "Allowed", - "con_id": "2721561088", - "message_id": "16001", + "app_category": "Storage and Backup", "app_is_cloud": "TRUE", - "http_category_type": "Acceptable", "app_name": "GitHub", + "app_risk": "1", + "con_id": "2721561088", + "device_model": "SFVH", "device_name": "SFW", + "fw_rule_id": "11", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "app_risk": "1", - "app_category": "Storage and Backup", - "log_version": "1" + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 18152, + "ip": "192.168.2.41", + "port": 20492 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "alive.github.com", + "full": "https://alive.github.com", + "original": "https://alive.github.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:26.000Z", "client": { - "port": 20492, - "bytes": 18152, - "ip": "192.168.2.41" + "bytes": 1361, + "ip": "192.168.3.36", + "port": 37906 + }, + "destination": { + "bytes": 3059, + "ip": "192.168.2.90", + "port": 8089 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192986187Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://alive.github.com\" src_ip=\"192.168.2.41\" dst_ip=\"140.82.113.26\" protocol=\"TCP\" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain=\"alive.github.com\" http_status=\"0\" con_id=2721561088 app_name=\"GitHub\" app_is_cloud=\"TRUE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=1 app_category=\"Storage and Backup\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:26-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain=\"192.168.2.90\" http_status=\"0\" con_id=175809792 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 8089, - "bytes": 3059, - "ip": "192.168.2.90" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "port": 8089, - "bytes": 3059, - "ip": "192.168.2.90" - }, - "source": { - "port": 37906, - "bytes": 1361, - "ip": "192.168.3.36" - }, - "url": { - "path": "", - "original": "https://192.168.2.90", - "scheme": "https", - "domain": "192.168.2.90", - "full": "https://192.168.2.90" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "LAN" + }, + "hostname": "sophos", "ingress": { "zone": "DMZ" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "LAN" - } - }, - "@timestamp": "2021-11-16T00:29:26.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1586,115 +1597,114 @@ "192.168.2.90" ] }, + "server": { + "bytes": 3059, + "ip": "192.168.2.90", + "port": 8089 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "175809792", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "16", + "http_category": "IPAddress", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "4", "log_subtype": "Allowed", - "con_id": "175809792", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "IPAddress", - "log_version": "1" + "web_policy_id": "4" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 37906, + "source": { "bytes": 1361, - "ip": "192.168.3.36" + "ip": "192.168.3.36", + "port": 37906 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192988038Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:26-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain=\"192.168.2.90\" http_status=\"0\" con_id=175809792 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "192.168.2.90", + "full": "https://192.168.2.90", + "original": "https://192.168.2.90", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 1556, - "ip": "205.185.216.10" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:28.000Z", + "client": { + "bytes": 1752, + "ip": "192.168.2.41", + "port": 22569 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-AZ", - "city_name": "Phoenix", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Arizona", - "location": { - "lon": -112.0664, - "lat": 33.5065 - } - }, "as": { - "number": 20446, + "number": 29518, "organization": { - "name": "Highwinds Network Group, Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 1556, - "ip": "205.185.216.10" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 22569, - "bytes": 1752, - "ip": "192.168.2.41" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tpcf.feedify.net\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain=\"tpcf.feedify.net\" http_status=\"0\" con_id=2685143552 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" }, - "url": { - "path": "", - "original": "https://tpcf.feedify.net", - "scheme": "https", - "domain": "tpcf.feedify.net", - "full": "https://tpcf.feedify.net" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:28.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1702,118 +1712,117 @@ ], "ip": [ "192.168.2.41", - "205.185.216.10" + "89.160.20.156" ] }, + "server": { + "bytes": 1556, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2685143552", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "11", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "1", "log_subtype": "Allowed", - "con_id": "2685143552", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 22569, + "source": { "bytes": 1752, - "ip": "192.168.2.41" + "ip": "192.168.2.41", + "port": 22569 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192989886Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tpcf.feedify.net\" src_ip=\"192.168.2.41\" dst_ip=\"205.185.216.10\" protocol=\"TCP\" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain=\"tpcf.feedify.net\" http_status=\"0\" con_id=2685143552 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "tpcf.feedify.net", + "full": "https://tpcf.feedify.net", + "original": "https://tpcf.feedify.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 2516804, - "ip": "45.57.227.202" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:28.000Z", + "client": { + "bytes": 12938, + "ip": "192.168.2.111", + "port": 50936 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, "as": { - "number": 55286, + "number": 29518, "organization": { - "name": "B2 Net Solutions Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2516804, - "ip": "45.57.227.202" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 50936, - "bytes": 12938, - "ip": "192.168.2.111" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173140160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:28.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1821,118 +1830,117 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 2516804, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "173140160", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "173140160", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50936, + "source": { "bytes": 12938, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50936 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192991739Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173140160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 1259, - "ip": "35.190.54.210" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:32.000Z", + "client": { + "bytes": 8057, + "ip": "192.168.2.109", + "port": 49505 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", - "location": { - "lon": -122.0748, - "lat": 37.4043 - } - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 1259, - "ip": "35.190.54.210" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 49505, - "bytes": 8057, - "ip": "192.168.2.109" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://logsink.devices.nest.com", - "scheme": "https", - "domain": "logsink.devices.nest.com", - "full": "https://logsink.devices.nest.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:32-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://logsink.devices.nest.com\" src_ip=\"192.168.2.109\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain=\"logsink.devices.nest.com\" http_status=\"0\" con_id=3159009472 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:32.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1940,89 +1948,102 @@ ], "ip": [ "192.168.2.109", - "35.190.54.210" + "89.160.20.156" ] }, + "server": { + "bytes": 1259, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3159009472", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3159009472", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "General Business", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 8057, + "ip": "192.168.2.109", + "port": 49505 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "logsink.devices.nest.com", + "full": "https://logsink.devices.nest.com", + "original": "https://logsink.devices.nest.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:33.000Z", + "client": { + "ip": "192.168.2.32", + "port": 44740 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 4000 }, - "client": { - "port": 49505, - "bytes": 8057, - "ip": "192.168.2.109" + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192993699Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:32-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://logsink.devices.nest.com\" src_ip=\"192.168.2.109\" dst_ip=\"35.190.54.210\" protocol=\"TCP\" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain=\"logsink.devices.nest.com\" http_status=\"0\" con_id=3159009472 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", + "action": "denied", "category": [ + "malware", "network" ], + "code": "054402617051", + "kind": "alert", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=44740 dst_port=4000 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", + "outcome": "success", + "severity": 6, "type": [ - "allowed", + "info", + "denied", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 4000, - "ip": "23.111.157.86" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-GA", - "city_name": "Atlanta", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Georgia", - "location": { - "lon": -84.3886, - "lat": 33.7553 - } - }, - "as": { - "number": 29802, - "organization": { - "name": "HIVELOCITY, Inc." - } - }, - "port": 4000, - "ip": "23.111.157.86" - }, - "source": { - "port": 44740, - "ip": "192.168.2.32" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "udp" }, @@ -2033,131 +2054,121 @@ "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T00:29:33.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" ], "ip": [ "192.168.2.32", - "23.111.157.86" + "89.160.20.156" ] }, + "server": { + "ip": "89.160.20.156", + "port": 4000 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "Application", - "device_model": "SFVH", - "log_subtype": "Denied", - "message_id": "17051", + "app_category": "P2P", + "app_filter_policy_id": "6", "app_is_cloud": "FALSE", - "app_technology": "P2P", "app_name": "Torrent Clients P2P", + "app_resolved_by": "Signature", + "app_risk": "5", + "app_technology": "P2P", + "device_model": "SFVH", "device_name": "SFW", + "fw_rule_id": "12", + "log_component": "Application", + "log_subtype": "Denied", "log_type": "Content Filtering", - "app_risk": "5", - "app_resolved_by": "Signature", - "qualifier": "New", - "app_category": "P2P", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "17051", + "qualifier": "New" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 44740, - "ip": "192.168.2.32" + "source": { + "ip": "192.168.2.32", + "port": 44740 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192995566Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"23.111.157.86\" dst_country=\"USA\" protocol=\"UDP\" src_port=44740 dst_port=4000 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", - "code": "054402617051", - "kind": "alert", - "action": "denied", - "category": [ - "malware", - "network" - ], - "type": [ - "info", - "denied", - "connection" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 80, - "bytes": 249, - "ip": "54.249.34.55" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:36.000Z", + "client": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 39118 }, "destination": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "JP-13", - "city_name": "Tokyo", - "country_iso_code": "JP", - "country_name": "Japan", - "region_name": "Tokyo", - "location": { - "lon": 139.7532, - "lat": 35.6882 - } - }, "as": { - "number": 16509, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "port": 80, "bytes": 249, - "ip": "54.249.34.55" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 }, - "source": { - "port": 39118, - "bytes": 77, - "ip": "192.168.2.112" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "/api/v1/connect-test", - "original": "http://info.cspserver.net/api/v1/connect-test", - "scheme": "http", - "domain": "info.cspserver.net", - "full": "http://info.cspserver.net/api/v1/connect-test" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3729897664 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:36.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2165,118 +2176,118 @@ ], "ip": [ "192.168.2.112", - "54.249.34.55" + "89.160.20.156" ] }, + "server": { + "bytes": 249, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3729897664", + "content_type": "application/octet-stream", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3729897664", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "application/octet-stream", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "General Business", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 39118 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "path": "/api/v1/connect-test", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:39.000Z", "client": { - "port": 39118, - "bytes": 77, - "ip": "192.168.2.112" + "bytes": 1157, + "ip": "192.168.2.102", + "port": 49030 }, - "http": { - "response": { - "status_code": 200 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4092, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192997444Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"54.249.34.55\" protocol=\"TCP\" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3729897664 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:39-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://api.smartthings.com\" src_ip=\"192.168.2.102\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain=\"api.smartthings.com\" http_status=\"0\" con_id=3729897984 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 4092, - "ip": "3.21.120.95" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3451, - "lat": 47.6348 - } - }, - "port": 443, - "bytes": 4092, - "ip": "3.21.120.95" - }, - "source": { - "port": 49030, - "bytes": 1157, - "ip": "192.168.2.102" - }, - "url": { - "path": "", - "original": "https://api.smartthings.com", - "scheme": "https", - "domain": "api.smartthings.com", - "full": "https://api.smartthings.com" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", - "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:39.000Z", - "ecs": { - "version": "1.12.0" + "type": "firewall", + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2284,115 +2295,122 @@ ], "ip": [ "192.168.2.102", - "3.21.120.95" + "89.160.20.156" ] }, + "server": { + "bytes": 4092, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3729897984", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3729897984", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 49030, + "source": { "bytes": 1157, - "ip": "192.168.2.102" + "ip": "192.168.2.102", + "port": 49030 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.192999300Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:39-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://api.smartthings.com\" src_ip=\"192.168.2.102\" dst_ip=\"3.21.120.95\" protocol=\"TCP\" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain=\"api.smartthings.com\" http_status=\"0\" con_id=3729897984 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "api.smartthings.com", + "full": "https://api.smartthings.com", + "original": "https://api.smartthings.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 80, - "bytes": 83, - "ip": "142.250.114.94" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:40.000Z", + "client": { + "bytes": 474, + "ip": "192.168.2.105", + "port": 52457 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 80, "bytes": 83, - "ip": "142.250.114.94" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 }, - "source": { - "port": 52457, - "bytes": 474, - "ip": "192.168.2.105" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "/generate_204", - "original": "http://connectivitycheck.gstatic.com/generate_204", - "scheme": "http", - "domain": "connectivitycheck.gstatic.com", - "full": "http://connectivitycheck.gstatic.com/generate_204" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094\" http_status=\"204\" con_id=407760320 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 204 + } + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:40.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2400,120 +2418,122 @@ ], "ip": [ "192.168.2.105", - "142.250.114.94" + "89.160.20.156" ] }, + "server": { + "bytes": 83, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "407760320", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "407760320", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 474, + "ip": "192.168.2.105", + "port": 52457 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "connectivitycheck.gstatic.com", + "full": "http://connectivitycheck.gstatic.com/generate_204", + "original": "http://connectivitycheck.gstatic.com/generate_204", + "path": "/generate_204", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:40.000Z", "client": { - "port": 52457, - "bytes": 474, - "ip": "192.168.2.105" + "bytes": 310, + "ip": "192.168.2.123", + "port": 35596 }, - "http": { - "response": { - "status_code": 204 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 83, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193001164Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.105\" dst_ip=\"142.250.114.94\" protocol=\"TCP\" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094\" http_status=\"204\" con_id=407760320 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.123\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000\" http_status=\"204\" con_id=3019156928 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 80, - "bytes": 83, - "ip": "142.250.191.227" - }, - "log": { - "level": "Information" + ] }, - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "port": 80, - "bytes": 83, - "ip": "142.250.191.227" + "host": { + "name": "defaulttest.local" }, - "source": { - "port": 35596, - "bytes": 310, - "ip": "192.168.2.123" + "http": { + "response": { + "status_code": 204 + } }, - "url": { - "path": "/generate_204", - "original": "http://connectivitycheck.gstatic.com/generate_204", - "scheme": "http", - "domain": "connectivitycheck.gstatic.com", - "full": "http://connectivitycheck.gstatic.com/generate_204" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:40.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2521,120 +2541,117 @@ ], "ip": [ "192.168.2.123", - "142.250.191.227" + "89.160.20.156" ] }, + "server": { + "bytes": 83, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3019156928", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3019156928", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 310, + "ip": "192.168.2.123", + "port": 35596 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "connectivitycheck.gstatic.com", + "full": "http://connectivitycheck.gstatic.com/generate_204", + "original": "http://connectivitycheck.gstatic.com/generate_204", + "path": "/generate_204", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:40.000Z", "client": { - "port": 35596, - "bytes": 310, - "ip": "192.168.2.123" + "bytes": 2182, + "ip": "192.168.2.41", + "port": 22465 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6231, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "http": { - "response": { - "status_code": 204 - } + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193003009Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.123\" dst_ip=\"142.250.191.227\" protocol=\"TCP\" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000\" http_status=\"204\" con_id=3019156928 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Business Networking\" http_category_type=\"Acceptable\" url=\"https://realtime.www.linkedin.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain=\"realtime.www.linkedin.com\" http_status=\"0\" con_id=172822528 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 6231, - "ip": "13.107.42.14" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 8068, - "organization": { - "name": "Microsoft Corporation" - } - }, - "port": 443, - "bytes": 6231, - "ip": "13.107.42.14" - }, - "source": { - "port": 22465, - "bytes": 2182, - "ip": "192.168.2.41" - }, - "url": { - "path": "", - "original": "https://realtime.www.linkedin.com", - "scheme": "https", - "domain": "realtime.www.linkedin.com", - "full": "https://realtime.www.linkedin.com" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:40.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2642,118 +2659,122 @@ ], "ip": [ "192.168.2.41", - "13.107.42.14" + "89.160.20.156" ] }, + "server": { + "bytes": 6231, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "172822528", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "11", + "http_category": "Business Networking", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "1", "log_subtype": "Allowed", - "con_id": "172822528", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Business Networking", - "log_version": "1" + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 22465, + "source": { "bytes": 2182, - "ip": "192.168.2.41" + "ip": "192.168.2.41", + "port": 22465 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193004875Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Business Networking\" http_category_type=\"Acceptable\" url=\"https://realtime.www.linkedin.com\" src_ip=\"192.168.2.41\" dst_ip=\"13.107.42.14\" protocol=\"TCP\" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain=\"realtime.www.linkedin.com\" http_status=\"0\" con_id=172822528 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "realtime.www.linkedin.com", + "full": "https://realtime.www.linkedin.com", + "original": "https://realtime.www.linkedin.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 80, - "bytes": 270, - "ip": "132.226.247.73" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:42.000Z", + "client": { + "bytes": 91, + "ip": "192.168.3.36", + "port": 56126 }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "NL-NH", - "city_name": "Amsterdam", - "country_iso_code": "NL", - "country_name": "Netherlands", - "region_name": "North Holland", - "location": { - "lon": 4.9087, - "lat": 52.3534 - } - }, "as": { - "number": 7160, + "number": 29518, "organization": { - "name": "Oracle Corporation" + "name": "Bredband2 AB" } }, - "port": 80, "bytes": 270, - "ip": "132.226.247.73" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 }, - "source": { - "port": 56126, - "bytes": 91, - "ip": "192.168.3.36" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "/", - "original": "http://checkip.dyndns.org/", - "scheme": "http", - "domain": "checkip.dyndns.org", - "full": "http://checkip.dyndns.org/" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:42-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"8\" web_policy_id=4 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"http://checkip.dyndns.org/\" content_type=\"text/html\" src_ip=\"192.168.3.36\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain=\"checkip.dyndns.org\" http_user_agent=\"ddclient/3.9.1\" http_status=\"200\" con_id=154693632 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"BRA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "DMZ" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:42.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2761,124 +2782,118 @@ ], "ip": [ "192.168.3.36", - "132.226.247.73" + "89.160.20.156" ] }, + "server": { + "bytes": 270, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "154693632", + "content_type": "text/html", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "8", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "4", "log_subtype": "Allowed", - "con_id": "154693632", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "text/html", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "4" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 91, + "ip": "192.168.3.36", + "port": 56126 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "checkip.dyndns.org", + "full": "http://checkip.dyndns.org/", + "original": "http://checkip.dyndns.org/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:43.000Z", "client": { - "port": 56126, - "bytes": 91, - "ip": "192.168.3.36" + "bytes": 17223, + "ip": "192.168.2.111", + "port": 50937 }, - "http": { - "response": { - "status_code": 200 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2569893, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193006822Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:42-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"8\" web_policy_id=4 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"http://checkip.dyndns.org/\" content_type=\"text/html\" src_ip=\"192.168.3.36\" dst_ip=\"132.226.247.73\" protocol=\"TCP\" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain=\"checkip.dyndns.org\" http_user_agent=\"ddclient/3.9.1\" http_status=\"200\" con_id=154693632 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"BRA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=407384704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 2569893, - "ip": "45.57.227.202" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, - "as": { - "number": 55286, - "organization": { - "name": "B2 Net Solutions Inc." - } - }, - "port": 443, - "bytes": 2569893, - "ip": "45.57.227.202" - }, - "source": { - "port": 50937, - "bytes": 17223, - "ip": "192.168.2.111" - }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:43.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2886,118 +2901,117 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 2569893, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "407384704", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "407384704", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50937, + "source": { "bytes": 17223, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50937 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193008689Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=407384704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 5643, - "ip": "54.157.203.98" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:43.000Z", + "client": { + "bytes": 3319, + "ip": "192.168.2.106", + "port": 63937 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.4728, - "lat": 39.0481 - } - }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 5643, - "ip": "54.157.203.98" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 63937, - "bytes": 3319, - "ip": "192.168.2.106" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://device-metrics-us-2.amazon.com", - "scheme": "https", - "domain": "device-metrics-us-2.amazon.com", - "full": "https://device-metrics-us-2.amazon.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Shopping\" http_category_type=\"Unproductive\" url=\"https://device-metrics-us-2.amazon.com\" src_ip=\"192.168.2.106\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain=\"device-metrics-us-2.amazon.com\" http_status=\"0\" con_id=3019356672 app_name=\"Amazon Shopping\" app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=2 app_category=\"General Internet\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:43.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3005,121 +3019,120 @@ ], "ip": [ "192.168.2.106", - "54.157.203.98" + "89.160.20.156" ] }, + "server": { + "bytes": 5643, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", - "con_id": "3019356672", - "message_id": "16001", + "app_category": "General Internet", "app_is_cloud": "FALSE", - "http_category_type": "Unproductive", "app_name": "Amazon Shopping", + "app_risk": "2", + "con_id": "3019356672", + "device_model": "SFVH", "device_name": "SFW", + "fw_rule_id": "12", + "http_category": "Online Shopping", + "http_category_type": "Unproductive", + "log_component": "HTTP", + "log_subtype": "Allowed", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Online Shopping", - "app_risk": "2", - "app_category": "General Internet", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 63937, + "source": { "bytes": 3319, - "ip": "192.168.2.106" + "ip": "192.168.2.106", + "port": 63937 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193010554Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Shopping\" http_category_type=\"Unproductive\" url=\"https://device-metrics-us-2.amazon.com\" src_ip=\"192.168.2.106\" dst_ip=\"54.157.203.98\" protocol=\"TCP\" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain=\"device-metrics-us-2.amazon.com\" http_status=\"0\" con_id=3019356672 app_name=\"Amazon Shopping\" app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=2 app_category=\"General Internet\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "device-metrics-us-2.amazon.com", + "full": "https://device-metrics-us-2.amazon.com", + "original": "https://device-metrics-us-2.amazon.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 4386, - "ip": "52.183.220.149" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:44.000Z", + "client": { + "bytes": 2144, + "ip": "192.168.2.32", + "port": 59357 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "San Antonio", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Texas", - "location": { - "lon": -98.4935, - "lat": 29.4247 - } - }, "as": { - "number": 8075, + "number": 29518, "organization": { - "name": "Microsoft Corporation" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 4386, - "ip": "52.183.220.149" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 59357, - "bytes": 2144, - "ip": "192.168.2.32" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://settings-win.data.microsoft.com", - "scheme": "https", - "domain": "settings-win.data.microsoft.com", - "full": "https://settings-win.data.microsoft.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:44-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.32\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=3159007232 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:44.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3127,116 +3140,118 @@ ], "ip": [ "192.168.2.32", - "52.183.220.149" + "89.160.20.156" ] }, + "server": { + "bytes": 4386, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_is_cloud": "FALSE", "con_id": "3159007232", - "message_id": "16001", + "device_model": "SFVH", + "device_name": "SFW", "exceptions": "av,https,validation,policy,zero-day protection", - "app_is_cloud": "FALSE", + "fw_rule_id": "12", + "http_category": "Information Technology", "http_category_type": "Acceptable", - "device_name": "SFW", + "log_component": "HTTP", + "log_subtype": "Allowed", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 2144, + "ip": "192.168.2.32", + "port": 59357 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "settings-win.data.microsoft.com", + "full": "https://settings-win.data.microsoft.com", + "original": "https://settings-win.data.microsoft.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:47.000Z", + "client": { + "bytes": 1839, + "ip": "192.168.2.156", + "port": 62996 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2046, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "client": { - "port": 59357, - "bytes": 2144, - "ip": "192.168.2.32" + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193012448Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:44-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.32\" dst_ip=\"52.183.220.149\" protocol=\"TCP\" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=3159007232 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://clientservices.googleapis.com\" src_ip=\"192.168.2.156\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain=\"clientservices.googleapis.com\" http_status=\"0\" con_id=2432150656 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 2046, - "ip": "142.251.40.67" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "port": 443, - "bytes": 2046, - "ip": "142.251.40.67" - }, - "source": { - "port": 62996, - "bytes": 1839, - "ip": "192.168.2.156" - }, - "url": { - "path": "", - "original": "https://clientservices.googleapis.com", - "scheme": "https", - "domain": "clientservices.googleapis.com", - "full": "https://clientservices.googleapis.com" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:47.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3244,100 +3259,99 @@ ], "ip": [ "192.168.2.156", - "142.251.40.67" + "89.160.20.156" ] }, + "server": { + "bytes": 2046, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2432150656", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2432150656", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 1839, + "ip": "192.168.2.156", + "port": 62996 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "clientservices.googleapis.com", + "full": "https://clientservices.googleapis.com", + "original": "https://clientservices.googleapis.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:47.000Z", "client": { - "port": 62996, - "bytes": 1839, - "ip": "192.168.2.156" + "bytes": 542, + "ip": "192.168.3.36", + "port": 37912 + }, + "destination": { + "bytes": 2376, + "ip": "192.168.2.90", + "port": 8089 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193014285Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://clientservices.googleapis.com\" src_ip=\"192.168.2.156\" dst_ip=\"142.251.40.67\" protocol=\"TCP\" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain=\"clientservices.googleapis.com\" http_status=\"0\" con_id=2432150656 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain=\"192.168.2.90\" http_status=\"0\" con_id=2721559808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 8089, - "bytes": 2376, - "ip": "192.168.2.90" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "port": 8089, - "bytes": 2376, - "ip": "192.168.2.90" - }, - "source": { - "port": 37912, - "bytes": 542, - "ip": "192.168.3.36" - }, - "url": { - "path": "", - "original": "https://192.168.2.90", - "scheme": "https", - "domain": "192.168.2.90", - "full": "https://192.168.2.90" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "LAN" + }, + "hostname": "sophos", "ingress": { "zone": "DMZ" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "LAN" - } - }, - "@timestamp": "2021-11-16T00:29:47.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3348,112 +3362,114 @@ "192.168.2.90" ] }, + "server": { + "bytes": 2376, + "ip": "192.168.2.90", + "port": 8089 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2721559808", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "16", + "http_category": "IPAddress", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "4", "log_subtype": "Allowed", - "con_id": "2721559808", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "IPAddress", - "log_version": "1" + "web_policy_id": "4" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 37912, + "source": { "bytes": 542, - "ip": "192.168.3.36" + "ip": "192.168.3.36", + "port": 37912 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193016168Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain=\"192.168.2.90\" http_status=\"0\" con_id=2721559808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "192.168.2.90", + "full": "https://192.168.2.90", + "original": "https://192.168.2.90", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 6023, - "ip": "104.22.76.177" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:56.000Z", + "client": { + "bytes": 2680, + "ip": "192.168.2.143", + "port": 49274 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 6023, - "ip": "104.22.76.177" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 49274, - "bytes": 2680, - "ip": "192.168.2.143" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://api.thetake.com", - "scheme": "https", - "domain": "api.thetake.com", - "full": "https://api.thetake.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Entertainment\" http_category_type=\"Unproductive\" url=\"https://api.thetake.com\" src_ip=\"192.168.2.143\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain=\"api.thetake.com\" http_status=\"0\" con_id=2685144512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3461,115 +3477,117 @@ ], "ip": [ "192.168.2.143", - "104.22.76.177" + "89.160.20.156" ] }, + "server": { + "bytes": 6023, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2685144512", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Entertainment", + "http_category_type": "Unproductive", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2685144512", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Unproductive", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Entertainment", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 49274, + "source": { "bytes": 2680, - "ip": "192.168.2.143" + "ip": "192.168.2.143", + "port": 49274 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193018011Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Entertainment\" http_category_type=\"Unproductive\" url=\"https://api.thetake.com\" src_ip=\"192.168.2.143\" dst_ip=\"104.22.76.177\" protocol=\"TCP\" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain=\"api.thetake.com\" http_status=\"0\" con_id=2685144512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "api.thetake.com", + "full": "https://api.thetake.com", + "original": "https://api.thetake.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 8533, - "ip": "142.251.32.174" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:29:57.000Z", + "client": { + "bytes": 1719, + "ip": "192.168.2.105", + "port": 35672 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 8533, - "ip": "142.251.32.174" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 35672, - "bytes": 1719, - "ip": "192.168.2.105" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://tools.google.com", - "scheme": "https", - "domain": "tools.google.com", - "full": "https://tools.google.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tools.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain=\"tools.google.com\" http_status=\"0\" con_id=151870592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:29:57.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3577,118 +3595,117 @@ ], "ip": [ "192.168.2.105", - "142.251.32.174" + "89.160.20.156" ] }, + "server": { + "bytes": 8533, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "151870592", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "151870592", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 35672, + "source": { "bytes": 1719, - "ip": "192.168.2.105" + "ip": "192.168.2.105", + "port": 35672 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193019860Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tools.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"142.251.32.174\" protocol=\"TCP\" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain=\"tools.google.com\" http_status=\"0\" con_id=151870592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "tools.google.com", + "full": "https://tools.google.com", + "original": "https://tools.google.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 4923601, - "ip": "45.57.227.202" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:00.000Z", + "client": { + "bytes": 25597, + "ip": "192.168.2.111", + "port": 50938 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, "as": { - "number": 55286, + "number": 29518, "organization": { - "name": "B2 Net Solutions Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 4923601, - "ip": "45.57.227.202" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 50938, - "bytes": 25597, - "ip": "192.168.2.111" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=3019355392 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:00.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3696,115 +3713,117 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 4923601, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3019355392", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3019355392", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50938, + "source": { "bytes": 25597, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50938 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193021711Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=3019355392 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 7256, - "ip": "204.79.197.219" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:01.000Z", + "client": { + "bytes": 10198, + "ip": "192.168.2.107", + "port": 53571 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 8068, + "number": 29518, "organization": { - "name": "Microsoft Corporation" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 7256, - "ip": "204.79.197.219" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://edge.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain=\"edge.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2689611008 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] }, - "source": { - "port": 53571, - "bytes": 10198, - "ip": "192.168.2.107" + "host": { + "name": "defaulttest.local" }, - "url": { - "path": "", - "original": "https://edge.microsoft.com", - "scheme": "https", - "domain": "edge.microsoft.com", - "full": "https://edge.microsoft.com" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:01.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3812,116 +3831,118 @@ ], "ip": [ "192.168.2.107", - "204.79.197.219" + "89.160.20.156" ] }, + "server": { + "bytes": 7256, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_is_cloud": "FALSE", "con_id": "2689611008", - "message_id": "16001", + "device_model": "SFVH", + "device_name": "SFW", "exceptions": "av,https,validation,policy,zero-day protection", - "app_is_cloud": "FALSE", + "fw_rule_id": "12", + "http_category": "Information Technology", "http_category_type": "Acceptable", - "device_name": "SFW", + "log_component": "HTTP", + "log_subtype": "Allowed", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 53571, + "source": { "bytes": 10198, - "ip": "192.168.2.107" + "ip": "192.168.2.107", + "port": 53571 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193023555Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://edge.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"204.79.197.219\" protocol=\"TCP\" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain=\"edge.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2689611008 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "edge.microsoft.com", + "full": "https://edge.microsoft.com", + "original": "https://edge.microsoft.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 2128, - "ip": "142.251.45.78" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:02.000Z", + "client": { + "bytes": 4395, + "ip": "192.168.2.139", + "port": 49726 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2128, - "ip": "142.251.45.78" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 49726, - "bytes": 4395, - "ip": "192.168.2.139" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://clients4.google.com", - "scheme": "https", - "domain": "clients4.google.com", - "full": "https://clients4.google.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.139\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain=\"clients4.google.com\" http_status=\"0\" con_id=2432148096 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:02.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3929,118 +3950,117 @@ ], "ip": [ "192.168.2.139", - "142.251.45.78" + "89.160.20.156" ] }, + "server": { + "bytes": 2128, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2432148096", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Search Engines", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2432148096", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Search Engines", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 49726, + "source": { "bytes": 4395, - "ip": "192.168.2.139" + "ip": "192.168.2.139", + "port": 49726 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193025410Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.139\" dst_ip=\"142.251.45.78\" protocol=\"TCP\" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain=\"clients4.google.com\" http_status=\"0\" con_id=2432148096 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "clients4.google.com", + "full": "https://clients4.google.com", + "original": "https://clients4.google.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 4408, - "ip": "52.183.220.149" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:03.000Z", + "client": { + "bytes": 1697, + "ip": "192.168.2.107", + "port": 53600 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "San Antonio", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Texas", - "location": { - "lon": -98.4935, - "lat": 29.4247 - } - }, "as": { - "number": 8075, + "number": 29518, "organization": { - "name": "Microsoft Corporation" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 4408, - "ip": "52.183.220.149" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 53600, - "bytes": 1697, - "ip": "192.168.2.107" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://settings-win.data.microsoft.com", - "scheme": "https", - "domain": "settings-win.data.microsoft.com", - "full": "https://settings-win.data.microsoft.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=173138560 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4048,119 +4068,123 @@ ], "ip": [ "192.168.2.107", - "52.183.220.149" + "89.160.20.156" ] }, + "server": { + "bytes": 4408, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_is_cloud": "FALSE", "con_id": "173138560", - "message_id": "16001", + "device_model": "SFVH", + "device_name": "SFW", "exceptions": "av,https,validation,policy,zero-day protection", - "app_is_cloud": "FALSE", + "fw_rule_id": "12", + "http_category": "Information Technology", "http_category_type": "Acceptable", - "device_name": "SFW", + "log_component": "HTTP", + "log_subtype": "Allowed", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 53600, + "source": { "bytes": 1697, - "ip": "192.168.2.107" + "ip": "192.168.2.107", + "port": 53600 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193027338Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"52.183.220.149\" protocol=\"TCP\" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=173138560 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "settings-win.data.microsoft.com", + "full": "https://settings-win.data.microsoft.com", + "original": "https://settings-win.data.microsoft.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 80, - "bytes": 249, - "ip": "54.249.34.55" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:06.000Z", + "client": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 39119 }, "destination": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "JP-13", - "city_name": "Tokyo", - "country_iso_code": "JP", - "country_name": "Japan", - "region_name": "Tokyo", - "location": { - "lon": 139.7532, - "lat": 35.6882 - } - }, "as": { - "number": 16509, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "port": 80, "bytes": 249, - "ip": "54.249.34.55" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 }, - "source": { - "port": 39119, - "bytes": 77, - "ip": "192.168.2.112" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "/api/v1/connect-test", - "original": "http://info.cspserver.net/api/v1/connect-test", - "scheme": "http", - "domain": "info.cspserver.net", - "full": "http://info.cspserver.net/api/v1/connect-test" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2841967104 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:06.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4168,121 +4192,118 @@ ], "ip": [ "192.168.2.112", - "54.249.34.55" + "89.160.20.156" ] }, + "server": { + "bytes": 249, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2841967104", + "content_type": "application/octet-stream", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2841967104", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "application/octet-stream", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "General Business", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 39119 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "path": "/api/v1/connect-test", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:30:11.000Z", "client": { - "port": 39119, - "bytes": 77, - "ip": "192.168.2.112" + "bytes": 1030, + "ip": "192.168.2.110", + "port": 53588 }, - "http": { - "response": { - "status_code": 200 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6770, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193029271Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"54.249.34.55\" protocol=\"TCP\" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2841967104 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Games\" http_category_type=\"Unproductive\" url=\"https://catalog.gamepass.com\" src_ip=\"192.168.2.110\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain=\"catalog.gamepass.com\" http_status=\"0\" con_id=2685088704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 6770, - "ip": "23.218.232.189" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 24835, - "organization": { - "name": "RAYA Telecom - Egypt" - } - }, - "port": 443, - "bytes": 6770, - "ip": "23.218.232.189" - }, - "source": { - "port": 53588, - "bytes": 1030, - "ip": "192.168.2.110" - }, - "url": { - "path": "", - "original": "https://catalog.gamepass.com", - "scheme": "https", - "domain": "catalog.gamepass.com", - "full": "https://catalog.gamepass.com" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:11.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4290,115 +4311,117 @@ ], "ip": [ "192.168.2.110", - "23.218.232.189" + "89.160.20.156" ] }, + "server": { + "bytes": 6770, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2685088704", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Games", + "http_category_type": "Unproductive", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2685088704", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Unproductive", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Games", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 53588, + "source": { "bytes": 1030, - "ip": "192.168.2.110" + "ip": "192.168.2.110", + "port": 53588 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193031105Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Games\" http_category_type=\"Unproductive\" url=\"https://catalog.gamepass.com\" src_ip=\"192.168.2.110\" dst_ip=\"23.218.232.189\" protocol=\"TCP\" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain=\"catalog.gamepass.com\" http_status=\"0\" con_id=2685088704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "catalog.gamepass.com", + "full": "https://catalog.gamepass.com", + "original": "https://catalog.gamepass.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 2848, - "ip": "142.251.45.78" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:16.000Z", + "client": { + "bytes": 7011, + "ip": "192.168.2.105", + "port": 52580 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2848, - "ip": "142.251.45.78" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain=\"clients4.google.com\" http_status=\"0\" con_id=3017219520 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] }, - "source": { - "port": 52580, - "bytes": 7011, - "ip": "192.168.2.105" + "host": { + "name": "defaulttest.local" }, - "url": { - "path": "", - "original": "https://clients4.google.com", - "scheme": "https", - "domain": "clients4.google.com", - "full": "https://clients4.google.com" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:16.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4406,115 +4429,117 @@ ], "ip": [ "192.168.2.105", - "142.251.45.78" + "89.160.20.156" ] }, + "server": { + "bytes": 2848, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3017219520", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Search Engines", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3017219520", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Search Engines", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 52580, + "source": { "bytes": 7011, - "ip": "192.168.2.105" + "ip": "192.168.2.105", + "port": 52580 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193032938Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"142.251.45.78\" protocol=\"TCP\" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain=\"clients4.google.com\" http_status=\"0\" con_id=3017219520 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "clients4.google.com", + "full": "https://clients4.google.com", + "original": "https://clients4.google.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 63488, - "ip": "142.251.32.170" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:25.000Z", + "client": { + "bytes": 3093, + "ip": "192.168.2.126", + "port": 53942 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 63488, - "ip": "142.251.32.170" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 53942, - "bytes": 3093, - "ip": "192.168.2.126" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://www.googleapis.com", - "scheme": "https", - "domain": "www.googleapis.com", - "full": "https://www.googleapis.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://www.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain=\"www.googleapis.com\" http_status=\"0\" con_id=154695872 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:25.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4522,115 +4547,117 @@ ], "ip": [ "192.168.2.126", - "142.251.32.170" + "89.160.20.156" ] }, + "server": { + "bytes": 63488, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "154695872", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "154695872", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 53942, + "source": { "bytes": 3093, - "ip": "192.168.2.126" + "ip": "192.168.2.126", + "port": 53942 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193034758Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://www.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"142.251.32.170\" protocol=\"TCP\" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain=\"www.googleapis.com\" http_status=\"0\" con_id=154695872 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.googleapis.com", + "full": "https://www.googleapis.com", + "original": "https://www.googleapis.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 7520, - "ip": "172.217.14.170" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:25.000Z", + "client": { + "bytes": 22415, + "ip": "192.168.2.126", + "port": 48938 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 7520, - "ip": "172.217.14.170" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 48938, - "bytes": 22415, - "ip": "192.168.2.126" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://play.googleapis.com", - "scheme": "https", - "domain": "play.googleapis.com", - "full": "https://play.googleapis.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://play.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain=\"play.googleapis.com\" http_status=\"0\" con_id=2169324160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:25.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4638,115 +4665,117 @@ ], "ip": [ "192.168.2.126", - "172.217.14.170" + "89.160.20.156" ] }, + "server": { + "bytes": 7520, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "2169324160", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "2169324160", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 22415, + "ip": "192.168.2.126", + "port": 48938 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "play.googleapis.com", + "full": "https://play.googleapis.com", + "original": "https://play.googleapis.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:25.000Z", + "client": { + "bytes": 9159, + "ip": "192.168.2.126", + "port": 53450 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 9567, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "client": { - "port": 48938, - "bytes": 22415, - "ip": "192.168.2.126" + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193036597Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://play.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"172.217.14.170\" protocol=\"TCP\" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain=\"play.googleapis.com\" http_status=\"0\" con_id=2169324160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain=\"android.googleapis.com\" http_status=\"0\" con_id=173141120 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 9567, - "ip": "142.251.45.74" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "port": 443, - "bytes": 9567, - "ip": "142.251.45.74" - }, - "source": { - "port": 53450, - "bytes": 9159, - "ip": "192.168.2.126" - }, - "url": { - "path": "", - "original": "https://android.googleapis.com", - "scheme": "https", - "domain": "android.googleapis.com", - "full": "https://android.googleapis.com" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:25.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4754,106 +4783,117 @@ ], "ip": [ "192.168.2.126", - "142.251.45.74" + "89.160.20.156" ] }, + "server": { + "bytes": 9567, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "173141120", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "173141120", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 53450, + "source": { "bytes": 9159, - "ip": "192.168.2.126" + "ip": "192.168.2.126", + "port": 53450 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193038416Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"142.251.45.74\" protocol=\"TCP\" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain=\"android.googleapis.com\" http_status=\"0\" con_id=173141120 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "android.googleapis.com", + "full": "https://android.googleapis.com", + "original": "https://android.googleapis.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 6253, - "ip": "162.159.136.232" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:27.000Z", + "client": { + "bytes": 925, + "ip": "192.168.2.156", + "port": 62998 }, "destination": { "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 6253, - "ip": "162.159.136.232" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 62998, - "bytes": 925, - "ip": "192.168.2.156" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://discord.com", - "scheme": "https", - "domain": "discord.com", - "full": "https://discord.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:27-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://discord.com\" src_ip=\"192.168.2.156\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain=\"discord.com\" http_status=\"0\" con_id=3732575808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:27.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4861,117 +4901,122 @@ ], "ip": [ "192.168.2.156", - "162.159.136.232" + "89.160.20.156" ] }, + "server": { + "bytes": 6253, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3732575808", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Online Chat", + "http_category_type": "Unproductive", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3732575808", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Unproductive", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Online Chat", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 62998, + "source": { "bytes": 925, - "ip": "192.168.2.156" + "ip": "192.168.2.156", + "port": 62998 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193040261Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:27-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://discord.com\" src_ip=\"192.168.2.156\" dst_ip=\"162.159.136.232\" protocol=\"TCP\" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain=\"discord.com\" http_status=\"0\" con_id=3732575808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "discord.com", + "full": "https://discord.com", + "original": "https://discord.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 8089, - "bytes": 307, - "ip": "208.73.181.98" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:28.000Z", + "client": { + "bytes": 260, + "ip": "192.168.2.131", + "port": 40233 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 10982, + "number": 29518, "organization": { - "name": "TiVo, Inc." + "name": "Bredband2 AB" } }, - "port": 8089, "bytes": 307, - "ip": "208.73.181.98" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 8089 }, - "source": { - "port": 40233, - "bytes": 260, - "ip": "192.168.2.131" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "/mind/mind42", - "original": "http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", - "scheme": "http", - "port": 8089, - "domain": "208.73.181.98", - "query": "type=myWanIpAddressGet\u0026bodyId=tsn:846001190AE52F2", - "full": "http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"89.160.20.156\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=999028608 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:28.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4979,124 +5024,120 @@ ], "ip": [ "192.168.2.131", - "208.73.181.98" + "89.160.20.156" ] }, + "server": { + "bytes": 307, + "ip": "89.160.20.156", + "port": 8089 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "999028608", + "content_type": "application/json", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "IPAddress", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "999028608", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "application/json", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "IPAddress", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 260, + "ip": "192.168.2.131", + "port": 40233 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.156", + "full": "http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "original": "http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "path": "/mind/mind42", + "port": 8089, + "query": "type=myWanIpAddressGet\u0026bodyId=tsn:846001190AE52F2", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:30:28.000Z", "client": { - "port": 40233, - "bytes": 260, - "ip": "192.168.2.131" + "bytes": 1004, + "ip": "192.168.2.41", + "port": 22567 }, - "http": { - "response": { - "status_code": 200 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 584, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193042125Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://208.73.181.98:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"208.73.181.98\" protocol=\"TCP\" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"208.73.181.98\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=999028608 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://backend-ssp.adstudio.cloud\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain=\"backend-ssp.adstudio.cloud\" http_status=\"0\" con_id=175214016 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 584, - "ip": "8.2.110.235" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-NJ", - "city_name": "Clifton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "New Jersey", - "location": { - "lon": -74.1403, - "lat": 40.8364 - } - }, - "as": { - "number": 46636, - "organization": { - "name": "NatCoWeb Corp." - } - }, - "port": 443, - "bytes": 584, - "ip": "8.2.110.235" - }, - "source": { - "port": 22567, - "bytes": 1004, - "ip": "192.168.2.41" - }, - "url": { - "path": "", - "original": "https://backend-ssp.adstudio.cloud", - "scheme": "https", - "domain": "backend-ssp.adstudio.cloud", - "full": "https://backend-ssp.adstudio.cloud" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:28.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5104,115 +5145,117 @@ ], "ip": [ "192.168.2.41", - "8.2.110.235" + "89.160.20.156" ] }, + "server": { + "bytes": 584, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "175214016", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "11", + "http_category": "General Business", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "1", "log_subtype": "Allowed", - "con_id": "175214016", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "General Business", - "log_version": "1" + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 22567, + "source": { "bytes": 1004, - "ip": "192.168.2.41" + "ip": "192.168.2.41", + "port": 22567 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193043966Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://backend-ssp.adstudio.cloud\" src_ip=\"192.168.2.41\" dst_ip=\"8.2.110.235\" protocol=\"TCP\" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain=\"backend-ssp.adstudio.cloud\" http_status=\"0\" con_id=175214016 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "backend-ssp.adstudio.cloud", + "full": "https://backend-ssp.adstudio.cloud", + "original": "https://backend-ssp.adstudio.cloud", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 2607, - "ip": "142.251.45.74" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:30.000Z", + "client": { + "bytes": 2417, + "ip": "192.168.2.126", + "port": 53458 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2607, - "ip": "142.251.45.74" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 53458, - "bytes": 2417, - "ip": "192.168.2.126" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://android.googleapis.com", - "scheme": "https", - "domain": "android.googleapis.com", - "full": "https://android.googleapis.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain=\"android.googleapis.com\" http_status=\"0\" con_id=3732577728 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:30.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5220,118 +5263,117 @@ ], "ip": [ "192.168.2.126", - "142.251.45.74" + "89.160.20.156" ] }, + "server": { + "bytes": 2607, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3732577728", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3732577728", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 2417, + "ip": "192.168.2.126", + "port": 53458 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "android.googleapis.com", + "full": "https://android.googleapis.com", + "original": "https://android.googleapis.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:30.000Z", + "client": { + "bytes": 36759, + "ip": "192.168.2.111", + "port": 50939 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 5080099, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "client": { - "port": 53458, - "bytes": 2417, - "ip": "192.168.2.126" + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193045829Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"142.251.45.74\" protocol=\"TCP\" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain=\"android.googleapis.com\" http_status=\"0\" con_id=3732577728 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173138880 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 5080099, - "ip": "45.57.227.202" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Stoney Creek", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", - "location": { - "lon": -79.7036, - "lat": 43.2183 - } - }, - "as": { - "number": 55286, - "organization": { - "name": "B2 Net Solutions Inc." - } - }, - "port": 443, - "bytes": 5080099, - "ip": "45.57.227.202" - }, - "source": { - "port": 50939, - "bytes": 36759, - "ip": "192.168.2.111" - }, - "url": { - "path": "", - "original": "https://hls14.asiancdn.net", - "scheme": "https", - "domain": "hls14.asiancdn.net", - "full": "https://hls14.asiancdn.net" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:30.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5339,118 +5381,117 @@ ], "ip": [ "192.168.2.111", - "45.57.227.202" + "89.160.20.156" ] }, + "server": { + "bytes": 5080099, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "173138880", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "173138880", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Content Delivery", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50939, + "source": { "bytes": 36759, - "ip": "192.168.2.111" + "ip": "192.168.2.111", + "port": 50939 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193047705Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"45.57.227.202\" protocol=\"TCP\" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173138880 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 10552, - "ip": "64.4.54.254" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:33.000Z", + "client": { + "bytes": 37822, + "ip": "192.168.2.119", + "port": 59478 }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WY", - "city_name": "Cheyenne", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Wyoming", - "location": { - "lon": -104.8193, - "lat": 41.1399 - } - }, "as": { - "number": 8075, + "number": 29518, "organization": { - "name": "Microsoft Corporation" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 10552, - "ip": "64.4.54.254" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 59478, - "bytes": 37822, - "ip": "192.168.2.119" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://vortex.data.microsoft.com", - "scheme": "https", - "domain": "vortex.data.microsoft.com", - "full": "https://vortex.data.microsoft.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://vortex.data.microsoft.com\" src_ip=\"192.168.2.119\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain=\"vortex.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2564229952 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:33.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5458,113 +5499,123 @@ ], "ip": [ "192.168.2.119", - "64.4.54.254" + "89.160.20.156" ] }, + "server": { + "bytes": 10552, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "fw_rule_id": "12", - "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_is_cloud": "FALSE", "con_id": "2564229952", - "message_id": "16001", + "device_model": "SFVH", + "device_name": "SFW", "exceptions": "av,https,validation,policy,zero-day protection", - "app_is_cloud": "FALSE", + "fw_rule_id": "12", + "http_category": "Information Technology", "http_category_type": "Acceptable", - "device_name": "SFW", + "log_component": "HTTP", + "log_subtype": "Allowed", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 37822, + "ip": "192.168.2.119", + "port": 59478 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "vortex.data.microsoft.com", + "full": "https://vortex.data.microsoft.com", + "original": "https://vortex.data.microsoft.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:36.000Z", "client": { - "port": 59478, - "bytes": 37822, - "ip": "192.168.2.119" + "bytes": 77, + "ip": "192.168.2.112", + "port": 55510 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193049563Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://vortex.data.microsoft.com\" src_ip=\"192.168.2.119\" dst_ip=\"64.4.54.254\" protocol=\"TCP\" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain=\"vortex.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2564229952 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3159008512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 80, - "bytes": 249, - "ip": "35.74.7.193" - }, - "log": { - "level": "Information" + ] }, - "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3451, - "lat": 47.6348 - } - }, - "port": 80, - "bytes": 249, - "ip": "35.74.7.193" + "host": { + "name": "defaulttest.local" }, - "source": { - "port": 55510, - "bytes": 77, - "ip": "192.168.2.112" + "http": { + "response": { + "status_code": 200 + } }, - "url": { - "path": "/api/v1/connect-test", - "original": "http://info.cspserver.net/api/v1/connect-test", - "scheme": "http", - "domain": "info.cspserver.net", - "full": "http://info.cspserver.net/api/v1/connect-test" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:36.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5572,121 +5623,118 @@ ], "ip": [ "192.168.2.112", - "35.74.7.193" + "89.160.20.156" ] }, + "server": { + "bytes": 249, + "ip": "89.160.20.156", + "port": 80 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "3159008512", + "content_type": "application/octet-stream", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "3159008512", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", - "content_type": "application/octet-stream", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "General Business", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 55510 }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "path": "/api/v1/connect-test", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:30:36.000Z", "client": { - "port": 55510, - "bytes": 77, - "ip": "192.168.2.112" + "bytes": 7587, + "ip": "192.168.2.41", + "port": 22570 }, - "http": { - "response": { - "status_code": 200 - } + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1633, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193051407Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"35.74.7.193\" protocol=\"TCP\" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3159008512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", - "code": "050901616001", - "kind": "event", "action": "allowed", "category": [ "network" ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Advertisements\" http_category_type=\"Unproductive\" url=\"https://us-trc-events.taboola.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain=\"us-trc-events.taboola.com\" http_status=\"0\" con_id=999027328 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, "type": [ "allowed", "connection" - ], - "outcome": "success" - } - }, - { - "server": { - "port": 443, - "bytes": 1633, - "ip": "141.226.224.48" + ] + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 200478, - "organization": { - "name": "Taboola.com ltd" - } - }, - "port": 443, - "bytes": 1633, - "ip": "141.226.224.48" - }, - "source": { - "port": 22570, - "bytes": 7587, - "ip": "192.168.2.41" - }, - "url": { - "path": "", - "original": "https://us-trc-events.taboola.com", - "scheme": "https", - "domain": "us-trc-events.taboola.com", - "full": "https://us-trc-events.taboola.com" - }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:36.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5694,115 +5742,117 @@ ], "ip": [ "192.168.2.41", - "141.226.224.48" + "89.160.20.156" ] }, + "server": { + "bytes": 1633, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "999027328", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "11", + "http_category": "Advertisements", + "http_category_type": "Unproductive", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "1", "log_subtype": "Allowed", - "con_id": "999027328", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Unproductive", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Advertisements", - "log_version": "1" + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 22570, + "source": { "bytes": 7587, - "ip": "192.168.2.41" + "ip": "192.168.2.41", + "port": 22570 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193053249Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Advertisements\" http_category_type=\"Unproductive\" url=\"https://us-trc-events.taboola.com\" src_ip=\"192.168.2.41\" dst_ip=\"141.226.224.48\" protocol=\"TCP\" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain=\"us-trc-events.taboola.com\" http_status=\"0\" con_id=999027328 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us-trc-events.taboola.com", + "full": "https://us-trc-events.taboola.com", + "original": "https://us-trc-events.taboola.com", + "path": "", + "scheme": "https" } }, { - "server": { - "port": 443, - "bytes": 2901, - "ip": "142.251.32.138" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:30:38.000Z", + "client": { + "bytes": 45093, + "ip": "192.168.2.126", + "port": 50210 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2901, - "ip": "142.251.32.138" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 50210, - "bytes": 45093, - "ip": "192.168.2.126" + "ecs": { + "version": "8.0.0" }, - "url": { - "path": "", - "original": "https://deviceintegritytokens-pa.googleapis.com", - "scheme": "https", - "domain": "deviceintegritytokens-pa.googleapis.com", - "full": "https://deviceintegritytokens-pa.googleapis.com" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:38-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://deviceintegritytokens-pa.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain=\"deviceintegritytokens-pa.googleapis.com\" http_status=\"0\" con_id=408293376 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp" }, "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:30:38.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5810,50 +5860,46 @@ ], "ip": [ "192.168.2.126", - "142.251.32.138" + "89.160.20.156" ] }, + "server": { + "bytes": 2901, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { + "app_is_cloud": "FALSE", + "con_id": "408293376", + "device_model": "SFVH", + "device_name": "SFW", "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", "log_component": "HTTP", - "device_model": "SFVH", - "web_policy_id": "12", "log_subtype": "Allowed", - "con_id": "408293376", - "message_id": "16001", - "app_is_cloud": "FALSE", - "http_category_type": "Acceptable", - "device_name": "SFW", "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", "used_quota": "0", - "http_category": "Information Technology", - "log_version": "1" + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50210, + "source": { "bytes": 45093, - "ip": "192.168.2.126" + "ip": "192.168.2.126", + "port": 50210 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:09:54.193055068Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:38-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://deviceintegritytokens-pa.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"142.251.32.138\" protocol=\"TCP\" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain=\"deviceintegritytokens-pa.googleapis.com\" http_status=\"0\" con_id=408293376 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", - "code": "050901616001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "deviceintegritytokens-pa.googleapis.com", + "full": "https://deviceintegritytokens-pa.googleapis.com", + "original": "https://deviceintegritytokens-pa.googleapis.com", + "path": "", + "scheme": "https" } } ] diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json index af8376d4ff0..544918ba4c8 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json @@ -1,16 +1,26 @@ { "expected": [ { + "@timestamp": "2021-11-16T02:52:23.000Z", + "client": { + "mac": "00:11:d9:a0:19:11" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "063411660020", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:52:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.131\" src_mac=\"00:11:d9:a0:19:11\" reported_host=\"TIVO-846001190AE52F2\" message=\"Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11\" lease_time=\"345600\"", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, "log": { "level": "Information" }, - "source": { - "mac": "00:11:d9:a0:19:11" - }, "message": "Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11", - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "sophos", "product": "XG", @@ -18,10 +28,6 @@ "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T02:52:23.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" @@ -29,44 +35,47 @@ }, "sophos": { "xg": { + "device_model": "SFVH", "device_name": "SFW", - "log_type": "Event", + "lease_time": "345600", "log_component": "DHCP Server", - "device_model": "SFVH", "log_subtype": "System", - "lease_time": "345600", + "log_type": "Event", + "log_version": "1", + "message_id": "60020", "reported_host": "TIVO-846001190AE52F2", "reported_ip": "192.168.2.131", - "message_id": "60020", - "log_version": "1", "status": "Renew" } }, - "host": { - "name": "defaulttest.local" + "source": { + "mac": "00:11:d9:a0:19:11" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T02:57:56.000Z", "client": { - "mac": "00:11:d9:a0:19:11" + "mac": "88:57:1d:2d:FF:db" + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:31.287727910Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:52:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.131\" src_mac=\"00:11:d9:a0:19:11\" reported_host=\"TIVO-846001190AE52F2\" message=\"Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11\" lease_time=\"345600\"", "code": "063411660020", - "kind": "event" - } - }, - { + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:57:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, "log": { "level": "Information" }, - "source": { - "mac": "88:57:1d:2d:FF:db" - }, "message": "Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db", - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "sophos", "product": "XG", @@ -74,10 +83,6 @@ "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T02:57:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" @@ -85,44 +90,47 @@ }, "sophos": { "xg": { + "device_model": "SFVH", "device_name": "SFW", - "log_type": "Event", + "lease_time": "345600", "log_component": "DHCP Server", - "device_model": "SFVH", "log_subtype": "System", - "lease_time": "345600", + "log_type": "Event", + "log_version": "1", + "message_id": "60020", "reported_host": "TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK", "reported_ip": "192.168.2.112", - "message_id": "60020", - "log_version": "1", "status": "Renew" } }, - "host": { - "name": "defaulttest.local" + "source": { + "mac": "88:57:1d:2d:FF:db" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T03:04:08.000Z", "client": { "mac": "88:57:1d:2d:FF:db" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:31.287732341Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:57:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", "code": "063411660020", - "kind": "event" - } - }, - { + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T21:04:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, "log": { "level": "Information" }, - "source": { - "mac": "88:57:1d:2d:FF:db" - }, "message": "Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db", - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "sophos", "product": "XG", @@ -130,10 +138,6 @@ "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T03:04:08.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" @@ -141,32 +145,25 @@ }, "sophos": { "xg": { + "device_model": "SFVH", "device_name": "SFW", - "log_type": "Event", + "lease_time": "345600", "log_component": "DHCP Server", - "device_model": "SFVH", "log_subtype": "System", - "lease_time": "345600", + "log_type": "Event", + "log_version": "1", + "message_id": "60020", "reported_host": "TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK", "reported_ip": "192.168.2.112", - "message_id": "60020", - "log_version": "1", "status": "Renew" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "mac": "88:57:1d:2d:FF:db" }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:31.287734163Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T21:04:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", - "code": "063411660020", - "kind": "event" - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log index 3a36ebead23..e702a85406b 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log @@ -1,50 +1,50 @@ -Nov 16 00:25:00 sophos device_name="SFW" timestamp="2021-11-15T18:25:00-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="142.250.114.93" dst_country="USA" protocol="TCP" src_port=50875 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="3153941760" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="A4:FC:77:2E:BD:6F" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.162" src_country="R1" dst_ip="142.251.32.238" dst_country="USA" protocol="TCP" src_port=56257 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151869632" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="TCP" src_port=50876 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2719000128" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=31 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2718999808" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" -Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" -Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916030336" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=39 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="3153944000" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" -Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916028416" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:00 sophos device_name="SFW" timestamp="2021-11-15T18:25:00-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=50875 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="3153941760" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="A4:FC:77:2E:BD:6F" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.162" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=56257 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151869632" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=50876 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2719000128" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=31 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2718999808" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916030336" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=39 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="3153944000" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916028416" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:CD:68" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="TCP" src_port=59346 dst_port=22083 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916031936" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:CD:68" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="TCP" src_port=59347 dst_port=22083 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="172022272" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" -Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=36 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="408294336" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916030976" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:04 sophos device_name="SFW" timestamp="2021-11-15T18:25:04-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=35 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="1000195968" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:04 sophos device_name="SFW" timestamp="2021-11-15T18:25:04-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916029696" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=18 fw_rule_id="19" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="2C:AA:8E:2A:5C:23" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.122" src_country="R1" dst_ip="142.250.115.105" dst_country="USA" protocol="TCP" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154390528" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="142.251.33.46" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" -Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="999027328" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=36 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="408294336" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916030976" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:04 sophos device_name="SFW" timestamp="2021-11-15T18:25:04-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=35 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="1000195968" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:04 sophos device_name="SFW" timestamp="2021-11-15T18:25:04-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916029696" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=18 fw_rule_id="19" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="2C:AA:8E:2A:5C:23" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.122" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154390528" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="999027328" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="DNS" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="88:57:1D:2D:19:DB" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.112" src_country="R1" dst_ip="192.168.10.1" dst_country="R1" protocol="UDP" src_port=47944 dst_port=53 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685088064" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="88:57:1D:2D:19:DB" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.112" src_country="R1" dst_ip="35.74.7.193" dst_country="JPN" protocol="TCP" src_port=55499 dst_port=80 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151867392" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151870592" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=16 fw_rule_id="19" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="2C:AA:8E:1D:B6:D9" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.118" src_country="R1" dst_ip="142.250.115.106" dst_country="USA" protocol="TCP" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="172108928" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="88:57:1D:2D:19:DB" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.112" src_country="R1" dst_ip="89.160.20.156" dst_country="JPN" protocol="TCP" src_port=55499 dst_port=80 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151867392" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151870592" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=16 fw_rule_id="19" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="2C:AA:8E:1D:B6:D9" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.118" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="172108928" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" nat_rule_id="0" fw_rule_type="USER" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type="Unknown (0x0000)" in_interface="Port3" out_interface="Port1" src_mac="00:50:56:9F:49:13" dst_mac="00:50:56:9F:EF:8A" src_ip="192.168.3.36" src_country="R1" dst_ip="192.168.2.90" dst_country="R1" protocol="TCP" src_port=48524 dst_port=9988 src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" con_event="Start" con_id="2685088384" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port3" out_display_interface="Port1" -Nov 16 00:25:07 sophos device_name="SFW" timestamp="2021-11-15T18:25:07-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="172105728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407386944" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=33 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407384064" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=19 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="Youtube Website" app_risk=3 app_technology="Browser Based" app_category="Streaming Media" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="142.250.114.93" dst_country="USA" protocol="TCP" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154391168" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=35 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2719001728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000196608" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=38 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2719001088" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:07 sophos device_name="SFW" timestamp="2021-11-15T18:25:07-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="172105728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407386944" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=33 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407384064" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=19 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="Youtube Website" app_risk=3 app_technology="Browser Based" app_category="Streaming Media" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154391168" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=35 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2719001728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000196608" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=38 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2719001088" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:B1:FE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.16" src_country="R1" dst_ip="192.168.1.167" dst_country="R1" protocol="TCP" src_port=63043 dst_port=8089 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685089984" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=411 fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name="Secure Socket Layer Protocol" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="104.18.6.10" protocol="TCP" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407759360" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000197248" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=32 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385024" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=30 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154696512" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="154391168" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=32 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385984" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="142.251.40.67" dst_country="USA" protocol="UDP" src_port=59335 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685088704" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=38 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="1000194368" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2694935808" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="54:60:09:FD:33:EC" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.105" src_country="R1" dst_ip="8.8.8.8" dst_country="USA" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000194368" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="142.250.68.131" dst_country="USA" protocol="UDP" src_port=62171 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151868992" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=17 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="Secure Socket Layer Protocol" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="34:C9:3D:23:51:C2" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.110" src_country="R1" dst_ip="23.218.232.189" dst_country="USA" protocol="TCP" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="172106048" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="142.251.33.14" dst_country="USA" protocol="UDP" src_port=52915 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407385024" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407386624" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="1.1.1.1" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385344" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="DNS" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="54:60:09:FD:33:EC" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.105" src_country="R1" dst_ip="8.8.8.8" dst_country="USA" protocol="UDP" src_port=34141 dst_port=53 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407385344" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" -Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="142.250.113.138" dst_country="USA" protocol="UDP" src_port=51751 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2719001088" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=411 fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name="Secure Socket Layer Protocol" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" protocol="TCP" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407759360" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000197248" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=32 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385024" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=30 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154696512" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="154391168" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=32 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385984" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=59335 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685088704" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=38 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="1000194368" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2694935808" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="54:60:09:FD:33:EC" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.105" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000194368" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=62171 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151868992" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=17 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="Secure Socket Layer Protocol" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="34:C9:3D:23:51:C2" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.110" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="172106048" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=52915 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407385024" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407386624" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385344" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="DNS" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="54:60:09:FD:33:EC" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.105" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=34141 dst_port=53 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407385344" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=51751 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2719001088" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json index 856e8e4a071..a031faed65d 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json @@ -1,74 +1,77 @@ { "expected": [ { - "server": { - "port": 443, - "mac": "00:50:56:9F:39:33", - "ip": "142.250.114.93" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:00.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", + "port": 50875 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "142.250.114.93" + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 50875, - "mac": "00:26:37:EE:47:20", - "ip": "192.168.2.111" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50875 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"3153941760\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:00.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -76,123 +79,124 @@ ], "ip": [ "192.168.2.111", - "142.250.114.93", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "3153941760", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50875, + "source": { + "ip": "192.168.2.111", "mac": "00:26:37:EE:47:20", - "ip": "192.168.2.111" + "nat": { + "ip": "192.168.1.2" + }, + "port": 50875 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214134055Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.250.114.93\" dst_country=\"USA\" protocol=\"TCP\" src_port=50875 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"3153941760\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "mac": "00:50:56:9F:39:33", - "ip": "142.251.32.238" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.162", + "mac": "A4:FC:77:2E:BD:6F", + "port": 56257 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "142.251.32.238" + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 56257, - "mac": "A4:FC:77:2E:BD:6F", - "ip": "192.168.2.162" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"A4:FC:77:2E:BD:6F\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.162\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=56257 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151869632\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:01.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -200,123 +204,124 @@ ], "ip": [ "192.168.2.162", - "142.251.32.238", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "151869632", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 56257, + "source": { + "ip": "192.168.2.162", "mac": "A4:FC:77:2E:BD:6F", - "ip": "192.168.2.162" + "nat": { + "ip": "192.168.1.2" + }, + "port": 56257 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214138492Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"A4:FC:77:2E:BD:6F\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.162\" src_country=\"R1\" dst_ip=\"142.251.32.238\" dst_country=\"USA\" protocol=\"TCP\" src_port=56257 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151869632\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "mac": "00:50:56:9F:39:33", - "ip": "142.251.33.46" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", + "port": 50876 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "142.251.33.46" + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 50876, - "mac": "00:26:37:EE:47:20", - "ip": "192.168.2.111" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50876 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719000128\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:01.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -324,128 +329,131 @@ ], "ip": [ "192.168.2.111", - "142.251.33.46", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2719000128", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50876, + "source": { + "ip": "192.168.2.111", "mac": "00:26:37:EE:47:20", - "ip": "192.168.2.111" + "nat": { + "ip": "192.168.1.2" + }, + "port": 50876 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214140583Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"TCP\" src_port=50876 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719000128\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 31000000000, + "end": "2021-11-16T00:25:32.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=31 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2718999808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:01.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:01.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -453,341 +461,343 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "2718999808", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 31000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214142590Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=31 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2718999808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:01.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:32.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "ip": "142.251.33.46" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, - "ip": "142.251.33.46" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 61709, - "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "udp" }, "observer": { + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" } }, - "hostname": "sophos", "product": "XG", "serial_number": "C01001BQC8TFFFF", "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T00:25:01.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" ], "ip": [ "192.168.2.111", - "142.251.33.46" + "89.160.20.156" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Denied", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00002", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Denied", "log_type": "Firewall", - "ether_type": "IPv4 (0x0800)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "0", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 61709, + "source": { + "ip": "192.168.2.111", "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "port": 61709 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214144429Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", - "code": "010102600002", - "kind": "event", - "action": "denied", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "ip": "142.251.33.46" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, - "ip": "142.251.33.46" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 61709, - "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "udp" }, "observer": { + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" } }, - "hostname": "sophos", "product": "XG", "serial_number": "C01001BQC8TFFFF", "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T00:25:01.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" ], "ip": [ "192.168.2.111", - "142.251.33.46" + "89.160.20.156" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Denied", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00002", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Denied", "log_type": "Firewall", - "ether_type": "IPv4 (0x0800)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "0", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 61709, + "source": { + "ip": "192.168.2.111", "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "port": 61709 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214146257Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", - "code": "010102600002", - "kind": "event", - "action": "denied", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:01.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -795,128 +805,130 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2916030336", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214148099Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:02.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 39000000000, + "end": "2021-11-16T00:25:41.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=39 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"3153944000\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:02.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:02.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -924,233 +936,234 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "3153944000", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 39000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214149941Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=39 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"3153944000\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:02.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:41.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "ip": "142.251.33.46" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:02.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, - "ip": "142.251.33.46" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 61709, - "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "udp" }, "observer": { + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" } }, - "hostname": "sophos", "product": "XG", "serial_number": "C01001BQC8TFFFF", "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T00:25:02.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" ], "ip": [ "192.168.2.111", - "142.251.33.46" + "89.160.20.156" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Denied", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00002", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Denied", "log_type": "Firewall", - "ether_type": "IPv4 (0x0800)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "0", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 61709, + "source": { + "ip": "192.168.2.111", "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "port": 61709 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214151775Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", - "code": "010102600002", - "kind": "event", - "action": "denied", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:02.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916028416\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:02.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1158,108 +1171,105 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2916028416", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:03.000Z", "client": { - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "ip": "192.168.2.32", + "mac": "00:50:56:9F:CD:68", + "port": 59346 + }, + "destination": { + "ip": "192.168.1.15", + "mac": "00:50:56:9F:39:33", + "port": 22083 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214153605Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916028416\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", "action": "allowed", "category": [ "network" ], - "outcome": "success" - } - }, - { - "server": { - "port": 22083, - "mac": "00:50:56:9F:39:33", - "ip": "192.168.1.15" + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59346 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916031936\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "port": 22083, - "mac": "00:50:56:9F:39:33", - "ip": "192.168.1.15" - }, - "rule": { - "id": "12" - }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 59346, - "mac": "00:50:56:9F:CD:68", - "ip": "192.168.2.32" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1271,104 +1281,102 @@ "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "192.168.1.15", + "mac": "00:50:56:9F:39:33", + "port": 22083 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2916031936", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" + "source": { + "ip": "192.168.2.32", + "mac": "00:50:56:9F:CD:68", + "nat": { + "ip": "192.168.1.2" + }, + "port": 59346 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:03.000Z", "client": { - "port": 59346, + "ip": "192.168.2.32", "mac": "00:50:56:9F:CD:68", - "ip": "192.168.2.32" + "port": 59347 + }, + "destination": { + "ip": "192.168.1.15", + "mac": "00:50:56:9F:39:33", + "port": 22083 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214155439Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59346 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916031936\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", "action": "allowed", "category": [ "network" ], - "outcome": "success" - } - }, - { - "server": { - "port": 22083, - "mac": "00:50:56:9F:39:33", - "ip": "192.168.1.15" + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59347 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172022272\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "port": 22083, - "mac": "00:50:56:9F:39:33", - "ip": "192.168.1.15" - }, - "rule": { - "id": "12" - }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 59347, - "mac": "00:50:56:9F:CD:68", - "ip": "192.168.2.32" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1380,232 +1388,236 @@ "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "192.168.1.15", + "mac": "00:50:56:9F:39:33", + "port": 22083 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "172022272", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 59347, + "source": { + "ip": "192.168.2.32", "mac": "00:50:56:9F:CD:68", - "ip": "192.168.2.32" + "nat": { + "ip": "192.168.1.2" + }, + "port": 59347 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214157377Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59347 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172022272\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "ip": "142.251.33.46" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:03.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, - "ip": "142.251.33.46" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 61709, - "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "udp" }, "observer": { + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" } }, - "hostname": "sophos", "product": "XG", "serial_number": "C01001BQC8TFFFF", "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T00:25:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" ], "ip": [ "192.168.2.111", - "142.251.33.46" + "89.160.20.156" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Denied", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00002", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Denied", "log_type": "Firewall", - "ether_type": "IPv4 (0x0800)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "0", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 61709, + "source": { + "ip": "192.168.2.111", "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "port": 61709 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214159216Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", - "code": "010102600002", - "kind": "event", - "action": "denied", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:03.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 36000000000, + "end": "2021-11-16T00:25:39.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=36 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"408294336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:03.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "Port1" + "name": "Port2" }, - "zone": "LAN" + "zone": "WAN" }, "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1613,125 +1625,125 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "408294336", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 36000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214161054Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=36 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"408294336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:03.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:39.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:03.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1739,128 +1751,130 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2916030976", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214162899Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:04.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 35000000000, + "end": "2021-11-16T00:25:39.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000195968\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:04.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:04.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1868,125 +1882,125 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "1000195968", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 35000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214164730Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000195968\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:04.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:39.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:04.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916029696\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:04.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -1994,131 +2008,132 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2916029696", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214166630Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916029696\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 80, - "bytes": 112, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "142.250.115.105" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "bytes": 216, + "ip": "192.168.2.122", + "mac": "2C:AA:8E:2A:5C:23", + "packets": 4, + "port": 41242 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 80, "bytes": 112, - "ip": "142.250.115.105", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2 + "packets": 2, + "port": 80 }, - "rule": { - "id": "19" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 41242, - "bytes": 216, - "mac": "2C:AA:8E:2A:5C:23", - "packets": 4, - "ip": "192.168.2.122" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 18000000000, + "end": "2021-11-16T00:25:23.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=18 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:2A:5C:23\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.122\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154390528\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:05.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", "bytes": 328, + "direction": "outbound", "packets": 6, - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:05.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2126,241 +2141,244 @@ ], "ip": [ "192.168.2.122", - "142.250.115.105", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "19" + }, + "server": { + "bytes": 112, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2, + "port": 80 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "8", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "154390528", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "5", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "8" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 41242, + "source": { "bytes": 216, + "ip": "192.168.2.122", "mac": "2C:AA:8E:2A:5C:23", + "nat": { + "ip": "192.168.1.2" + }, "packets": 4, - "ip": "192.168.2.122" + "port": 41242 }, - "event": { - "duration": 18000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214168474Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=18 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:2A:5C:23\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.122\" src_country=\"R1\" dst_ip=\"142.250.115.105\" dst_country=\"USA\" protocol=\"TCP\" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154390528\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:05.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:23.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "ip": "142.251.33.46" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, - "ip": "142.251.33.46" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 61709, - "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "udp" }, "observer": { + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" } }, - "hostname": "sophos", "product": "XG", "serial_number": "C01001BQC8TFFFF", "type": "firewall", "vendor": "Sophos" }, - "@timestamp": "2021-11-16T00:25:05.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "defaulttest.local" ], "ip": [ "192.168.2.111", - "142.251.33.46" + "89.160.20.156" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Denied", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00002", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Denied", "log_type": "Firewall", - "ether_type": "IPv4 (0x0800)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "0", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 61709, + "source": { + "ip": "192.168.2.111", "mac": "00:26:37:ee:47:20", - "ip": "192.168.2.111" + "port": 61709 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214170343Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.251.33.46\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", - "code": "010102600002", - "kind": "event", - "action": "denied", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 37000000000, + "end": "2021-11-16T00:25:42.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"999027328\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:05.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:05.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2368,113 +2386,109 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "999027328", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "ip": "192.168.2.112", + "mac": "88:57:1D:2D:19:DB", + "port": 47944 + }, + "destination": { + "ip": "192.168.10.1", + "mac": "00:50:56:9F:39:33", + "port": 53 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "duration": 37000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214172168Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"999027328\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:05.000Z", "action": "allowed", - "end": "2021-11-16T00:25:42.000Z", "category": [ "network" ], - "outcome": "success" - } - }, - { - "server": { - "port": 53, - "mac": "00:50:56:9F:39:33", - "ip": "192.168.10.1" + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"192.168.10.1\" dst_country=\"R1\" protocol=\"UDP\" src_port=47944 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "port": 53, - "mac": "00:50:56:9F:39:33", - "ip": "192.168.10.1" - }, - "rule": { - "id": "12" - }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 47944, - "mac": "88:57:1D:2D:19:DB", - "ip": "192.168.2.112" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "udp", - "direction": "outbound" + "direction": "outbound", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:05.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2486,120 +2500,124 @@ "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "192.168.10.1", + "mac": "00:50:56:9F:39:33", + "port": 53 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", - "con_id": "2685088064", - "fw_rule_type": "USER", - "hb_status": "No Heartbeat", - "ips_policy_id": "8", - "message_id": "00001", + "app_category": "Infrastructure", + "app_filter_policy_id": "6", "app_is_cloud": "FALSE", - "app_technology": "Network Protocol", "app_name": "DNS", - "device_name": "SFW", - "log_type": "Firewall", + "app_resolved_by": "Signature", + "app_risk": "1", + "app_technology": "Network Protocol", "con_event": "Start", + "con_id": "2685088064", + "device_model": "SFVH", + "device_name": "SFW", "ether_type": "Unknown (0x0000)", - "app_risk": "1", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", - "app_category": "Infrastructure", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 47944, + "source": { + "ip": "192.168.2.112", "mac": "88:57:1D:2D:19:DB", - "ip": "192.168.2.112" + "nat": { + "ip": "192.168.1.2" + }, + "port": 47944 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214174014Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"192.168.10.1\" dst_country=\"R1\" protocol=\"UDP\" src_port=47944 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 80, - "mac": "00:50:56:9F:39:33", - "ip": "35.74.7.193" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "ip": "192.168.2.112", + "mac": "88:57:1D:2D:19:DB", + "port": 55499 }, "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lon": -122.3451, - "lat": 47.6348 - } + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "port": 80, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "35.74.7.193" + "port": 80 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 55499, - "mac": "88:57:1D:2D:19:DB", - "ip": "192.168.2.112" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"JPN\" protocol=\"TCP\" src_port=55499 dst_port=80 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151867392\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:05.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2607,120 +2625,122 @@ ], "ip": [ "192.168.2.112", - "35.74.7.193", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 80 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "151867392", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 55499, + "source": { + "ip": "192.168.2.112", "mac": "88:57:1D:2D:19:DB", - "ip": "192.168.2.112" + "nat": { + "ip": "192.168.1.2" + }, + "port": 55499 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214175852Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"35.74.7.193\" dst_country=\"JPN\" protocol=\"TCP\" src_port=55499 dst_port=80 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151867392\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151870592\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:05.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2728,131 +2748,132 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "151870592", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214177701Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151870592\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 80, - "bytes": 112, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "142.250.115.106" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:06.000Z", + "client": { + "bytes": 216, + "ip": "192.168.2.118", + "mac": "2C:AA:8E:1D:B6:D9", + "packets": 4, + "port": 44720 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 80, "bytes": 112, - "ip": "142.250.115.106", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2 + "packets": 2, + "port": 80 }, - "rule": { - "id": "19" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 44720, - "bytes": 216, - "mac": "2C:AA:8E:1D:B6:D9", - "packets": 4, - "ip": "192.168.2.118" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 16000000000, + "end": "2021-11-16T00:25:22.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=16 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:1D:B6:D9\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.118\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172108928\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:06.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", "bytes": 328, + "direction": "outbound", "packets": 6, - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:06.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2860,110 +2881,110 @@ ], "ip": [ "192.168.2.118", - "142.250.115.106", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "19" + }, + "server": { + "bytes": 112, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2, + "port": 80 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "8", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "172108928", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "5", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "8" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 44720, + "source": { "bytes": 216, + "ip": "192.168.2.118", "mac": "2C:AA:8E:1D:B6:D9", + "nat": { + "ip": "192.168.1.2" + }, "packets": 4, - "ip": "192.168.2.118" + "port": 44720 }, - "event": { - "duration": 16000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214179612Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=16 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:1D:B6:D9\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.118\" src_country=\"R1\" dst_ip=\"142.250.115.106\" dst_country=\"USA\" protocol=\"TCP\" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172108928\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:06.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:22.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 9988, - "mac": "00:50:56:9F:EF:8A", - "ip": "192.168.2.90" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:06.000Z", + "client": { + "ip": "192.168.3.36", + "mac": "00:50:56:9F:49:13", + "port": 48524 }, "destination": { - "port": 9988, + "ip": "192.168.2.90", "mac": "00:50:56:9F:EF:8A", - "ip": "192.168.2.90" + "port": 9988 }, - "rule": { - "id": "16" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type=\"Unknown (0x0000)\" in_interface=\"Port3\" out_interface=\"Port1\" src_mac=\"00:50:56:9F:49:13\" dst_mac=\"00:50:56:9F:EF:8A\" src_ip=\"192.168.3.36\" src_country=\"R1\" dst_ip=\"192.168.2.90\" dst_country=\"R1\" protocol=\"TCP\" src_port=48524 dst_port=9988 src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" con_event=\"Start\" con_id=\"2685088384\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port3\" out_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" }, - "source": { - "port": 48524, - "mac": "00:50:56:9F:49:13", - "ip": "192.168.3.36" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", - "direction": "internal" + "direction": "internal", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port3" }, "zone": "DMZ" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port1" - }, - "zone": "LAN" - } - }, - "@timestamp": "2021-11-16T00:25:06.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -2974,116 +2995,115 @@ "192.168.2.90" ] }, + "rule": { + "id": "16" + }, + "server": { + "ip": "192.168.2.90", + "mac": "00:50:56:9F:EF:8A", + "port": 9988 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "4", - "log_subtype": "Allowed", + "app_filter_policy_id": "7", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2685088384", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "6", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "0", "log_version": "1", - "app_filter_policy_id": "7" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "4" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 48524, + "source": { + "ip": "192.168.3.36", "mac": "00:50:56:9F:49:13", - "ip": "192.168.3.36" + "port": 48524 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214181429Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type=\"Unknown (0x0000)\" in_interface=\"Port3\" out_interface=\"Port1\" src_mac=\"00:50:56:9F:49:13\" dst_mac=\"00:50:56:9F:EF:8A\" src_ip=\"192.168.3.36\" src_country=\"R1\" dst_ip=\"192.168.2.90\" dst_country=\"R1\" protocol=\"TCP\" src_port=48524 dst_port=9988 src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" con_event=\"Start\" con_id=\"2685088384\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port3\" out_display_interface=\"Port1\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:07.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172105728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:07.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3091,120 +3111,121 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "172105728", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214183267Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172105728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:08.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386944\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:08.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3212,128 +3233,130 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "407386944", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214185079Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386944\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:08.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 33000000000, + "end": "2021-11-16T00:25:41.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=33 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407384064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:08.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:08.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3341,136 +3364,136 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "407384064", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 33000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214186923Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=33 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407384064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:08.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:41.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "bytes": 4992, - "mac": "00:50:56:9F:39:33", + "@timestamp": "2021-11-16T00:25:08.000Z", + "client": { + "bytes": 9718, + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", "packets": 31, - "ip": "142.250.114.93" - }, - "log": { - "level": "Information" + "port": 50872 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 4992, - "ip": "142.250.114.93", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 31 + "packets": 31, + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 50872, - "bytes": 9718, - "mac": "00:26:37:EE:47:20", - "packets": 31, - "ip": "192.168.2.111" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 19000000000, + "end": "2021-11-16T00:25:27.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=19 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Youtube Website\" app_risk=3 app_technology=\"Browser Based\" app_category=\"Streaming Media\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:08.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", "bytes": 14710, + "direction": "outbound", "packets": 62, - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:08.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3478,137 +3501,139 @@ ], "ip": [ "192.168.2.111", - "142.250.114.93", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 4992, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 31, + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_category": "Streaming Media", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "Youtube Website", + "app_resolved_by": "Signature", + "app_risk": "3", + "app_technology": "Browser Based", + "con_event": "Stop", "con_id": "154391168", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_technology": "Browser Based", - "app_is_cloud": "FALSE", - "app_name": "Youtube Website", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_risk": "3", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", - "app_category": "Streaming Media", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 50872, + "source": { "bytes": 9718, + "ip": "192.168.2.111", "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, "packets": 31, - "ip": "192.168.2.111" + "port": 50872 }, - "event": { - "duration": 19000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214188775Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=19 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Youtube Website\" app_risk=3 app_technology=\"Browser Based\" app_category=\"Streaming Media\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"142.250.114.93\" dst_country=\"USA\" protocol=\"TCP\" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:08.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:27.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:08.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 35000000000, + "end": "2021-11-16T00:25:43.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:08.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:08.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3616,125 +3641,125 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "2719001728", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 35000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214190601Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:08.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:43.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:09.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000196608\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:09.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3742,128 +3767,130 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "1000196608", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214192438Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000196608\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:09.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 38000000000, + "end": "2021-11-16T00:25:47.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:09.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:09.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3871,113 +3898,109 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "2719001088", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:09.000Z", + "client": { + "ip": "192.168.2.16", + "mac": "00:50:56:9F:B1:FE", + "port": 63043 + }, + "destination": { + "ip": "192.168.1.167", + "mac": "00:50:56:9F:39:33", + "port": 8089 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "duration": 38000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214194256Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:09.000Z", "action": "allowed", - "end": "2021-11-16T00:25:47.000Z", "category": [ "network" ], - "outcome": "success" - } - }, - { - "server": { - "port": 8089, - "mac": "00:50:56:9F:39:33", - "ip": "192.168.1.167" + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:B1:FE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.16\" src_country=\"R1\" dst_ip=\"192.168.1.167\" dst_country=\"R1\" protocol=\"TCP\" src_port=63043 dst_port=8089 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685089984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" }, "log": { "level": "Information" }, - "destination": { - "port": 8089, - "mac": "00:50:56:9F:39:33", - "ip": "192.168.1.167" - }, - "rule": { - "id": "12" - }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 63043, - "mac": "00:50:56:9F:B1:FE", - "ip": "192.168.2.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:09.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -3989,127 +4012,129 @@ "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "192.168.1.167", + "mac": "00:50:56:9F:39:33", + "port": 8089 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2685089984", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 63043, + "source": { + "ip": "192.168.2.16", "mac": "00:50:56:9F:B1:FE", - "ip": "192.168.2.16" + "nat": { + "ip": "192.168.1.2" + }, + "port": 63043 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214196095Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:B1:FE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.16\" src_country=\"R1\" dst_ip=\"192.168.1.167\" dst_country=\"R1\" protocol=\"TCP\" src_port=63043 dst_port=8089 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685089984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "bytes": 2229, - "mac": "00:50:56:9F:39:33", - "packets": 22, - "ip": "104.18.6.10" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:09.000Z", + "client": { + "bytes": 2297, + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "packets": 20, + "port": 21957 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 2229, - "ip": "104.18.6.10", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 22 + "packets": 22, + "port": 443 }, - "rule": { - "id": "11" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 21957, - "bytes": 2297, - "mac": "24:4B:FE:DD:C6:CE", - "packets": 20, - "ip": "192.168.2.41" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 411000000000, + "end": "2021-11-16T00:32:00.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=411 fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407759360\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:09.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", "bytes": 4526, + "direction": "outbound", "packets": 42, - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:09.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4117,129 +4142,130 @@ ], "ip": [ "192.168.2.41", - "104.18.6.10", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "11" + }, + "server": { + "bytes": 2229, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 22, + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "1", - "log_subtype": "Allowed", + "app_category": "Infrastructure", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "Secure Socket Layer Protocol", + "app_resolved_by": "Signature", + "app_risk": "1", + "app_technology": "Network Protocol", + "con_event": "Stop", "con_id": "407759360", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_technology": "Network Protocol", - "app_is_cloud": "FALSE", - "app_name": "Secure Socket Layer Protocol", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_risk": "1", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "9", - "app_category": "Infrastructure", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 21957, + "source": { "bytes": 2297, + "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, "packets": 20, - "ip": "192.168.2.41" + "port": 21957 }, - "event": { - "duration": 411000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214197902Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=411 fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"104.18.6.10\" protocol=\"TCP\" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407759360\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:09.000Z", - "action": "allowed", - "end": "2021-11-16T00:32:00.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:10.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000197248\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:10.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4247,128 +4273,130 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "1000197248", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214199824Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000197248\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:10.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 32000000000, + "end": "2021-11-16T00:25:42.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:10.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:10.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4376,133 +4404,134 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "407385024", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" - }, - "event": { - "duration": 32000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214201658Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:10.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:42.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:10.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 30000000000, + "end": "2021-11-16T00:25:40.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=30 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154696512\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:10.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:10.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4510,125 +4539,125 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "154696512", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 30000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214203497Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=30 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154696512\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:10.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:40.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:11.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:11.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4636,128 +4665,130 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "154391168", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214205363Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:11.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 32000000000, + "end": "2021-11-16T00:25:43.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:11.000Z" }, - "rule": { - "id": "12" + "host": { + "name": "defaulttest.local" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:11.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4765,128 +4796,127 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "407385984", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 32000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214207173Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:11.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:43.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "mac": "00:50:56:9F:39:33", - "ip": "142.251.40.67" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:11.000Z", + "client": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "port": 59335 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "142.251.40.67" + "port": 443 }, - "rule": { - "id": "11" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 59335, - "mac": "24:4B:FE:DD:C6:CE", - "ip": "192.168.2.41" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=59335 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088704\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "udp", - "direction": "outbound" + "direction": "outbound", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:11.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -4894,128 +4924,131 @@ ], "ip": [ "192.168.2.41", - "142.251.40.67", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "11" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "1", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2685088704", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "9", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 59335, + "source": { + "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", - "ip": "192.168.2.41" + "nat": { + "ip": "192.168.1.2" + }, + "port": 59335 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214209021Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"142.251.40.67\" dst_country=\"USA\" protocol=\"UDP\" src_port=59335 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088704\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 38000000000, + "end": "2021-11-16T00:25:50.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:12.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", - "serial_number": "C01001BQC8TFFFF", - "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:12.000Z", - "ecs": { - "version": "1.12.0" + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5023,125 +5056,125 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "1000194368", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 38000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214210860Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:12.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:50.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2694935808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:12.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5149,120 +5182,121 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2694935808", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214212685Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2694935808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "8.8.8.8" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "ip": "192.168.2.105", + "mac": "54:60:09:FD:33:EC" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "8.8.8.8" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "54:60:09:FD:33:EC", - "ip": "192.168.2.105" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:12.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5270,123 +5304,123 @@ ], "ip": [ "192.168.2.105", - "8.8.8.8", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "1000194368", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } - }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "mac": "54:60:09:FD:33:EC", - "ip": "192.168.2.105" - }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214214565Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"8.8.8.8\" dst_country=\"USA\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + }, + "source": { + "ip": "192.168.2.105", + "mac": "54:60:09:FD:33:EC", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "mac": "00:50:56:9F:39:33", - "ip": "142.250.68.131" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "port": 62171 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "142.250.68.131" + "port": 443 }, - "rule": { - "id": "11" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 62171, - "mac": "24:4B:FE:DD:C6:CE", - "ip": "192.168.2.41" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=62171 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151868992\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "udp", - "direction": "outbound" + "direction": "outbound", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:12.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5394,131 +5428,133 @@ ], "ip": [ "192.168.2.41", - "142.250.68.131", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "11" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "1", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "151868992", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "9", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 62171, + "source": { + "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", - "ip": "192.168.2.41" + "nat": { + "ip": "192.168.1.2" + }, + "port": 62171 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214216380Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"142.250.68.131\" dst_country=\"USA\" protocol=\"UDP\" src_port=62171 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151868992\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "bytes": 6770, - "mac": "00:50:56:9F:39:33", - "packets": 13, - "ip": "23.218.232.189" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "bytes": 1030, + "ip": "192.168.2.110", + "mac": "34:C9:3D:23:51:C2", + "packets": 11, + "port": 53271 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 24835, + "number": 29518, "organization": { - "name": "RAYA Telecom - Egypt" + "name": "Bredband2 AB" } }, - "port": 443, "bytes": 6770, - "ip": "23.218.232.189", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 13 + "packets": 13, + "port": 443 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 53271, - "bytes": 1030, - "mac": "34:C9:3D:23:51:C2", - "packets": 11, - "ip": "192.168.2.110" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 17000000000, + "end": "2021-11-16T00:25:29.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=17 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"34:C9:3D:23:51:C2\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.110\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172106048\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:12.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "tcp", "bytes": 7800, + "direction": "outbound", "packets": 24, - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:12.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5526,132 +5562,132 @@ ], "ip": [ "192.168.2.110", - "23.218.232.189", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 6770, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 13, + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_category": "Infrastructure", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "Secure Socket Layer Protocol", + "app_resolved_by": "Signature", + "app_risk": "1", + "app_technology": "Network Protocol", + "con_event": "Stop", "con_id": "172106048", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_technology": "Network Protocol", - "app_is_cloud": "FALSE", - "app_name": "Secure Socket Layer Protocol", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_risk": "1", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", - "app_category": "Infrastructure", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 53271, + "source": { "bytes": 1030, + "ip": "192.168.2.110", "mac": "34:C9:3D:23:51:C2", + "nat": { + "ip": "192.168.1.2" + }, "packets": 11, - "ip": "192.168.2.110" + "port": 53271 }, - "event": { - "duration": 17000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214218210Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=17 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"34:C9:3D:23:51:C2\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.110\" src_country=\"R1\" dst_ip=\"23.218.232.189\" dst_country=\"USA\" protocol=\"TCP\" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172106048\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:12.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:29.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "mac": "00:50:56:9F:39:33", - "ip": "142.251.33.14" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "port": 52915 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "142.251.33.14" + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=52915 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 }, - "rule": { - "id": "11" + "host": { + "name": "defaulttest.local" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 52915, - "mac": "24:4B:FE:DD:C6:CE", - "ip": "192.168.2.41" + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "udp", - "direction": "outbound" + "direction": "outbound", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:12.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5659,120 +5695,122 @@ ], "ip": [ "192.168.2.41", - "142.251.33.14", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "11" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "1", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "407385024", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "9", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 52915, + "source": { + "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", - "ip": "192.168.2.41" + "nat": { + "ip": "192.168.1.2" + }, + "port": 52915 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214220017Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"142.251.33.14\" dst_country=\"USA\" protocol=\"UDP\" src_port=52915 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:13.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22" }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "mac": "00:50:56:9F:39:33", - "ip": "1.1.1.1" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386624\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", - "direction": "outbound" + "direction": "outbound", + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:13.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5780,128 +5818,130 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "407386624", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + } }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214221851Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386624\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { + "@timestamp": "2021-11-16T00:25:13.000Z", + "client": { "bytes": 168, - "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" - }, - "log": { - "level": "Information" + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "packets": 2 }, "destination": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "packets": 2, - "ip": "1.1.1.1" + "packets": 2 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "bytes": 168, - "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 37000000000, + "end": "2021-11-16T00:25:50.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:13.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "icmp", "bytes": 336, + "direction": "outbound", "packets": 4, - "direction": "outbound" + "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:13.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -5909,128 +5949,127 @@ ], "ip": [ "192.168.2.121", - "1.1.1.1", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "bytes": 168, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, "sophos": { "xg": { - "icmp_type": "8", - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", "con_id": "407385344", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", + "icmp_type": "8", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Stop", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { + "source": { "bytes": 168, + "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", - "packets": 2, - "ip": "192.168.2.121" + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 }, - "event": { - "duration": 37000000000, - "severity": 6, - "ingested": "2021-11-16T04:10:32.214223726Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"1.1.1.1\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "start": "2021-11-16T00:25:13.000Z", - "action": "allowed", - "end": "2021-11-16T00:25:50.000Z", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 53, - "mac": "00:50:56:9F:39:33", - "ip": "8.8.8.8" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:13.000Z", + "client": { + "ip": "192.168.2.105", + "mac": "54:60:09:FD:33:EC", + "port": 34141 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 53, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "8.8.8.8" + "port": 53 }, - "rule": { - "id": "12" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 34141, - "mac": "54:60:09:FD:33:EC", - "ip": "192.168.2.105" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=34141 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "udp", - "direction": "outbound" + "direction": "outbound", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:13.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -6038,127 +6077,128 @@ ], "ip": [ "192.168.2.105", - "8.8.8.8", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "12" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 53 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "12", - "log_subtype": "Allowed", + "app_category": "Infrastructure", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "DNS", + "app_resolved_by": "Signature", + "app_risk": "1", + "app_technology": "Network Protocol", + "con_event": "Start", "con_id": "407385344", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "app_technology": "Network Protocol", - "app_name": "DNS", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_risk": "1", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "12", - "app_category": "Infrastructure", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "12" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 34141, + "source": { + "ip": "192.168.2.105", "mac": "54:60:09:FD:33:EC", - "ip": "192.168.2.105" + "nat": { + "ip": "192.168.1.2" + }, + "port": 34141 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214225562Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"8.8.8.8\" dst_country=\"USA\" protocol=\"UDP\" src_port=34141 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] }, { - "server": { - "port": 443, - "mac": "00:50:56:9F:39:33", - "ip": "142.250.113.138" - }, - "log": { - "level": "Information" + "@timestamp": "2021-11-16T00:25:13.000Z", + "client": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "port": 51751 }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "port": 443, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", - "ip": "142.250.113.138" + "port": 443 }, - "rule": { - "id": "11" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "ip": "192.168.1.2" - }, - "port": 51751, - "mac": "24:4B:FE:DD:C6:CE", - "ip": "192.168.2.41" + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=51751 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "udp", - "direction": "outbound" + "direction": "outbound", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", "ingress": { "interface": { "name": "Port1" }, "zone": "LAN" }, - "hostname": "sophos", "product": "XG", - "vendor": "Sophos", "serial_number": "C01001BQC8TFFFF", "type": "firewall", - "egress": { - "interface": { - "name": "Port2" - }, - "zone": "WAN" - } - }, - "@timestamp": "2021-11-16T00:25:13.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Sophos" }, "related": { "hosts": [ @@ -6166,53 +6206,51 @@ ], "ip": [ "192.168.2.41", - "142.250.113.138", + "89.160.20.156", "192.168.1.2" ] }, + "rule": { + "id": "11" + }, + "server": { + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, "sophos": { "xg": { - "log_component": "Firewall Rule", - "device_model": "SFVH", - "web_policy_id": "1", - "log_subtype": "Allowed", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", "con_id": "2719001088", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", "ips_policy_id": "8", - "message_id": "00001", - "app_is_cloud": "FALSE", - "device_name": "SFW", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", "log_type": "Firewall", - "con_event": "Start", - "ether_type": "Unknown (0x0000)", - "app_resolved_by": "Signature", - "qualifier": "New", - "nat_rule_id": "9", "log_version": "1", - "app_filter_policy_id": "6" + "message_id": "00001", + "qualifier": "New", + "web_policy_id": "1" } }, - "host": { - "name": "defaulttest.local" - }, - "client": { - "port": 51751, + "source": { + "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", - "ip": "192.168.2.41" + "nat": { + "ip": "192.168.1.2" + }, + "port": 51751 }, - "event": { - "severity": 6, - "ingested": "2021-11-16T04:10:32.214227413Z", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"142.250.113.138\" dst_country=\"USA\" protocol=\"UDP\" src_port=51751 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", - "code": "010101600001", - "kind": "event", - "action": "allowed", - "category": [ - "network" - ], - "outcome": "success" - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml index d7a2facbf88..97c7492f5e1 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing sophosxg firewall logs processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '8.0.0' From 7d00de966bff3c30ae91350f57b0a0f5bb575389 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 6 Apr 2022 14:25:36 -0400 Subject: [PATCH 3/6] version: 1.2.3 --- packages/sophos/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index 3a89e018082..d6c7c8cb12d 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 1.2.2 +version: 1.2.3 description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga From 1df73f20659de222522f0bac1951a4d4725873b5 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Wed, 13 Apr 2022 00:31:03 +0000 Subject: [PATCH 4/6] updates from comments --- .../pipeline/test-sophos-xg.log-expected.json | 11 +++ .../test-xg-cfilter-new.log-expected.json | 96 +++++++++++++++++++ .../test-xg-firewall-new.log-expected.json | 90 +++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 14 +-- .../sophos/data_stream/xg/fields/fields.yml | 24 ++--- packages/sophos/docs/README.md | 6 +- 6 files changed, 215 insertions(+), 26 deletions(-) diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index 3312263bc5c..5b16e43d588 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -4742,6 +4742,7 @@ "device": "SFW", "device_name": "XG230", "dst_country_code": "SVK", + "dst_zone_type": "WAN", "hb_health": "No Heartbeat", "iap": "0", "ips_policy_id": "0", @@ -4751,6 +4752,7 @@ "message_id": "00001", "priority": "Information", "src_country_code": "R1", + "src_zone_type": "LAN", "status": "Allow" } }, @@ -4901,6 +4903,7 @@ "device": "SFW", "device_name": "XG230", "dst_country_code": "SVK", + "dst_zone_type": "WAN", "hb_health": "No Heartbeat", "iap": "0", "ips_policy_id": "15", @@ -4910,6 +4913,7 @@ "message_id": "00001", "priority": "Information", "src_country_code": "R1", + "src_zone_type": "DMZ", "status": "Allow" } }, @@ -5875,6 +5879,7 @@ "device": "SFW", "device_name": "XG230", "dst_country_code": "R1", + "dst_zone_type": "VPN", "hb_health": "No Heartbeat", "iap": "0", "ips_policy_id": "11", @@ -5884,6 +5889,7 @@ "message_id": "00001", "priority": "Information", "src_country_code": "R1", + "src_zone_type": "VPN", "status": "Allow" } }, @@ -6150,6 +6156,7 @@ "device": "SFW", "device_name": "XG230", "dst_country_code": "R1", + "dst_zone_type": "LAN", "hb_health": "NoHeartbeat", "iap": "0", "ips_policy_id": "17", @@ -8955,6 +8962,7 @@ "device": "SFW", "device_name": "XG210", "dst_country_code": "GB", + "dst_zone_type": "DMZ", "ether_type": "Unknown (0x0000)", "hb_health": "No Heartbeat", "iap": "0", @@ -8965,6 +8973,7 @@ "message_id": "00001", "priority": "Information", "src_country_code": "ESP", + "src_zone_type": "WAN", "status": "Allow" } }, @@ -9109,6 +9118,7 @@ "connid": "2674291981", "device": "SFW", "device_name": "SF01V", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "hb_health": "No Heartbeat\"message=", "iap": "13", @@ -9118,6 +9128,7 @@ "log_type": "Firewall", "message_id": "00001", "priority": "Information", + "src_zone_type": "LAN", "status": "Allow" } }, diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json index f5e1ab29b27..8e1bbf0e8b0 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json @@ -177,6 +177,7 @@ "con_id": "173026752", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -185,6 +186,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -295,6 +297,7 @@ "con_id": "2694936768", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -303,6 +306,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -413,6 +417,7 @@ "con_id": "2564230592", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -421,6 +426,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -537,6 +543,7 @@ "content_type": "application/octet-stream", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "General Business", "http_category_type": "Acceptable", @@ -545,6 +552,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -655,6 +663,7 @@ "con_id": "2916030976", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "exceptions": "av,https,validation,policy,zero-day protection", "fw_rule_id": "12", "http_category": "Information Technology", @@ -664,6 +673,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -774,6 +784,7 @@ "con_id": "2564227072", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -782,6 +793,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -898,6 +910,7 @@ "content_type": "application/json", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "IPAddress", "http_category_type": "Acceptable", @@ -906,6 +919,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -1018,6 +1032,7 @@ "con_id": "172826048", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Online Chat", "http_category_type": "Unproductive", @@ -1026,6 +1041,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -1142,6 +1158,7 @@ "content_type": "text/plain", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "IPAddress", "http_category_type": "Acceptable", @@ -1150,6 +1167,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -1267,6 +1285,7 @@ "content_type": "text/plain", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "IPAddress", "http_category_type": "Acceptable", @@ -1275,6 +1294,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -1387,6 +1407,7 @@ "con_id": "2719000448", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -1395,6 +1416,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -1508,6 +1530,7 @@ "con_id": "2721561088", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "11", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -1516,6 +1539,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" } @@ -1608,6 +1632,7 @@ "con_id": "175809792", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "LAN", "fw_rule_id": "16", "http_category": "IPAddress", "http_category_type": "Acceptable", @@ -1616,6 +1641,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "DMZ", "used_quota": "0", "web_policy_id": "4" } @@ -1726,6 +1752,7 @@ "con_id": "2685143552", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "11", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -1734,6 +1761,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" } @@ -1844,6 +1872,7 @@ "con_id": "173140160", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -1852,6 +1881,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -1962,6 +1992,7 @@ "con_id": "3159009472", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "General Business", "http_category_type": "Acceptable", @@ -1970,6 +2001,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -2191,6 +2223,7 @@ "content_type": "application/octet-stream", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "General Business", "http_category_type": "Acceptable", @@ -2199,6 +2232,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -2309,6 +2343,7 @@ "con_id": "3729897984", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -2317,6 +2352,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -2432,6 +2468,7 @@ "con_id": "407760320", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -2440,6 +2477,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -2555,6 +2593,7 @@ "con_id": "3019156928", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -2563,6 +2602,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -2673,6 +2713,7 @@ "con_id": "172822528", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "11", "http_category": "Business Networking", "http_category_type": "Acceptable", @@ -2681,6 +2722,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" } @@ -2797,6 +2839,7 @@ "content_type": "text/html", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "8", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -2805,6 +2848,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "DMZ", "used_quota": "0", "web_policy_id": "4" } @@ -2915,6 +2959,7 @@ "con_id": "407384704", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -2923,6 +2968,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -3036,6 +3082,7 @@ "con_id": "3019356672", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Online Shopping", "http_category_type": "Unproductive", @@ -3044,6 +3091,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -3154,6 +3202,7 @@ "con_id": "3159007232", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "exceptions": "av,https,validation,policy,zero-day protection", "fw_rule_id": "12", "http_category": "Information Technology", @@ -3163,6 +3212,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -3273,6 +3323,7 @@ "con_id": "2432150656", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -3281,6 +3332,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -3373,6 +3425,7 @@ "con_id": "2721559808", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "LAN", "fw_rule_id": "16", "http_category": "IPAddress", "http_category_type": "Acceptable", @@ -3381,6 +3434,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "DMZ", "used_quota": "0", "web_policy_id": "4" } @@ -3491,6 +3545,7 @@ "con_id": "2685144512", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Entertainment", "http_category_type": "Unproductive", @@ -3499,6 +3554,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -3609,6 +3665,7 @@ "con_id": "151870592", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -3617,6 +3674,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -3727,6 +3785,7 @@ "con_id": "3019355392", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -3735,6 +3794,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -3845,6 +3905,7 @@ "con_id": "2689611008", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "exceptions": "av,https,validation,policy,zero-day protection", "fw_rule_id": "12", "http_category": "Information Technology", @@ -3854,6 +3915,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -3964,6 +4026,7 @@ "con_id": "2432148096", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Search Engines", "http_category_type": "Acceptable", @@ -3972,6 +4035,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -4082,6 +4146,7 @@ "con_id": "173138560", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "exceptions": "av,https,validation,policy,zero-day protection", "fw_rule_id": "12", "http_category": "Information Technology", @@ -4091,6 +4156,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -4207,6 +4273,7 @@ "content_type": "application/octet-stream", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "General Business", "http_category_type": "Acceptable", @@ -4215,6 +4282,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -4325,6 +4393,7 @@ "con_id": "2685088704", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Games", "http_category_type": "Unproductive", @@ -4333,6 +4402,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -4443,6 +4513,7 @@ "con_id": "3017219520", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Search Engines", "http_category_type": "Acceptable", @@ -4451,6 +4522,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -4561,6 +4633,7 @@ "con_id": "154695872", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -4569,6 +4642,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -4679,6 +4753,7 @@ "con_id": "2169324160", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -4687,6 +4762,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -4797,6 +4873,7 @@ "con_id": "173141120", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -4805,6 +4882,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -4915,6 +4993,7 @@ "con_id": "3732575808", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Online Chat", "http_category_type": "Unproductive", @@ -4923,6 +5002,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -5039,6 +5119,7 @@ "content_type": "application/json", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "IPAddress", "http_category_type": "Acceptable", @@ -5047,6 +5128,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -5159,6 +5241,7 @@ "con_id": "175214016", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "11", "http_category": "General Business", "http_category_type": "Acceptable", @@ -5167,6 +5250,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" } @@ -5277,6 +5361,7 @@ "con_id": "3732577728", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -5285,6 +5370,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -5395,6 +5481,7 @@ "con_id": "173138880", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Content Delivery", "http_category_type": "Acceptable", @@ -5403,6 +5490,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -5513,6 +5601,7 @@ "con_id": "2564229952", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "exceptions": "av,https,validation,policy,zero-day protection", "fw_rule_id": "12", "http_category": "Information Technology", @@ -5522,6 +5611,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -5638,6 +5728,7 @@ "content_type": "application/octet-stream", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "General Business", "http_category_type": "Acceptable", @@ -5646,6 +5737,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } @@ -5756,6 +5848,7 @@ "con_id": "999027328", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "11", "http_category": "Advertisements", "http_category_type": "Unproductive", @@ -5764,6 +5857,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" } @@ -5874,6 +5968,7 @@ "con_id": "408293376", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "fw_rule_id": "12", "http_category": "Information Technology", "http_category_type": "Acceptable", @@ -5882,6 +5977,7 @@ "log_type": "Content Filtering", "log_version": "1", "message_id": "16001", + "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" } diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json index a031faed65d..8dcb866bdf6 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json @@ -100,6 +100,7 @@ "con_id": "3153941760", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -110,6 +111,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -225,6 +227,7 @@ "con_id": "151869632", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -235,6 +238,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -350,6 +354,7 @@ "con_id": "2719000128", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -360,6 +365,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -483,6 +489,7 @@ "con_id": "2718999808", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -494,6 +501,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -825,6 +833,7 @@ "con_id": "2916030336", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -836,6 +845,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -958,6 +968,7 @@ "con_id": "3153944000", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -969,6 +980,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -1191,6 +1203,7 @@ "con_id": "2916028416", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -1202,6 +1215,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -1298,6 +1312,7 @@ "con_id": "2916031936", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -1308,6 +1323,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -1405,6 +1421,7 @@ "con_id": "172022272", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -1415,6 +1432,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -1647,6 +1665,7 @@ "con_id": "408294336", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -1658,6 +1677,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -1771,6 +1791,7 @@ "con_id": "2916030976", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -1782,6 +1803,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -1904,6 +1926,7 @@ "con_id": "1000195968", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -1915,6 +1938,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -2028,6 +2052,7 @@ "con_id": "2916029696", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -2039,6 +2064,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -2164,6 +2190,7 @@ "con_id": "154390528", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -2174,6 +2201,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -2408,6 +2436,7 @@ "con_id": "999027328", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -2419,6 +2448,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -2521,6 +2551,7 @@ "con_id": "2685088064", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -2531,6 +2562,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -2646,6 +2678,7 @@ "con_id": "151867392", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -2656,6 +2689,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -2768,6 +2802,7 @@ "con_id": "151870592", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -2779,6 +2814,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -2904,6 +2940,7 @@ "con_id": "172108928", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -2914,6 +2951,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -3012,6 +3050,7 @@ "con_id": "2685088384", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "LAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -3022,6 +3061,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "DMZ", "web_policy_id": "4" } }, @@ -3131,6 +3171,7 @@ "con_id": "172105728", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -3142,6 +3183,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -3253,6 +3295,7 @@ "con_id": "407386944", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -3264,6 +3307,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -3386,6 +3430,7 @@ "con_id": "407384064", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -3397,6 +3442,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -3528,6 +3574,7 @@ "con_id": "154391168", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -3538,6 +3585,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -3663,6 +3711,7 @@ "con_id": "2719001728", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -3674,6 +3723,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -3787,6 +3837,7 @@ "con_id": "1000196608", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -3798,6 +3849,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -3920,6 +3972,7 @@ "con_id": "2719001088", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -3931,6 +3984,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -4029,6 +4083,7 @@ "con_id": "2685089984", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -4039,6 +4094,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -4169,6 +4225,7 @@ "con_id": "407759360", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -4179,6 +4236,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "1" } }, @@ -4293,6 +4351,7 @@ "con_id": "1000197248", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -4304,6 +4363,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -4426,6 +4486,7 @@ "con_id": "407385024", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -4437,6 +4498,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -4561,6 +4623,7 @@ "con_id": "154696512", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -4572,6 +4635,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -4685,6 +4749,7 @@ "con_id": "154391168", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -4696,6 +4761,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -4818,6 +4884,7 @@ "con_id": "407385984", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -4829,6 +4896,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -4945,6 +5013,7 @@ "con_id": "2685088704", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -4955,6 +5024,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "1" } }, @@ -5078,6 +5148,7 @@ "con_id": "1000194368", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -5089,6 +5160,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -5202,6 +5274,7 @@ "con_id": "2694935808", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -5213,6 +5286,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -5324,6 +5398,7 @@ "con_id": "1000194368", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -5335,6 +5410,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -5449,6 +5525,7 @@ "con_id": "151868992", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -5459,6 +5536,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "1" } }, @@ -5589,6 +5667,7 @@ "con_id": "172106048", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -5599,6 +5678,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -5716,6 +5796,7 @@ "con_id": "407385024", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -5726,6 +5807,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "1" } }, @@ -5838,6 +5920,7 @@ "con_id": "407386624", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -5849,6 +5932,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -5971,6 +6055,7 @@ "con_id": "407385344", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -5982,6 +6067,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -6102,6 +6188,7 @@ "con_id": "407385344", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -6112,6 +6199,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "12" } }, @@ -6227,6 +6315,7 @@ "con_id": "2719001088", "device_model": "SFVH", "device_name": "SFW", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "fw_rule_type": "USER", "hb_status": "No Heartbeat", @@ -6237,6 +6326,7 @@ "log_version": "1", "message_id": "00001", "qualifier": "New", + "src_zone_type": "LAN", "web_policy_id": "1" } }, diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml index 97c7492f5e1..daf00d2a22f 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -187,6 +187,14 @@ processors: field: sophos.xg.dst_zone target_field: observer.egress.zone ignore_missing: true +- rename: + field: sophos.xg.srczonetype + target_field: sophos.xg.src_zone_type + ignore_missing: true +- rename: + field: sophos.xg.dstzonetype + target_field: sophos.xg.dst_zone_type + ignore_missing: true # extract from log_id the new field "sophos.xg.message_id" - set: @@ -247,16 +255,10 @@ processors: - sophos.xg.duration - sophos.xg.timezone - sophos.xg.dir_disp - - sophos.xg.srczone - - sophos.xg.dstzone - sophos.xg.log_occurrence - sophos.xg.nat_rule_id - sophos.xg.in_display_interface - sophos.xg.out_display_interface - - sophos.xg.srczonetype - - sophos.xg.dstzonetype - - sophos.xg.src_zone_type - - sophos.xg.dst_zone_type - syslog5424_pri ignore_missing: true diff --git a/packages/sophos/data_stream/xg/fields/fields.yml b/packages/sophos/data_stream/xg/fields/fields.yml index 1adcb2547e6..72f84fd9dbb 100644 --- a/packages/sophos/data_stream/xg/fields/fields.yml +++ b/packages/sophos/data_stream/xg/fields/fields.yml @@ -204,22 +204,6 @@ type: integer description: | Translated destination port for outgoing traffic - - name: srczonetype - type: keyword - description: | - Type of source zone, e.g., LAN - - name: srczone - type: keyword - description: | - Name of source zone - - name: dstzonetype - type: keyword - description: | - Type of destination zone, e.g., WAN - - name: dstzone - type: keyword - description: | - Name of destination zone - name: dir_disp type: keyword description: | @@ -848,6 +832,14 @@ type: keyword description: | Reported IP + - name: dst_zone_type + type: keyword + description: | + Type of destination zone + - name: src_zone_type + type: keyword + description: | + Type of source zone - name: log.source.address type: keyword ignore_above: 1024 diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index 102fb377a91..237435c499f 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -1128,9 +1128,8 @@ An example event for `xg` looks as following: | sophos.xg.dst_domainname | Receiver domain name | keyword | | sophos.xg.dst_ip | Original destination IP address of traffic | ip | | sophos.xg.dst_port | Original destination port of TCP and UDP traffic | integer | +| sophos.xg.dst_zone_type | Type of destination zone | keyword | | sophos.xg.dstdomain | Destination Domain | keyword | -| sophos.xg.dstzone | Name of destination zone | keyword | -| sophos.xg.dstzonetype | Type of destination zone, e.g., WAN | keyword | | sophos.xg.duration | Durability of traffic (seconds) | long | | sophos.xg.email_subject | Email Subject | keyword | | sophos.xg.ep_uuid | Endpoint UUID | keyword | @@ -1228,8 +1227,7 @@ An example event for `xg` looks as following: | sophos.xg.src_ip | Original source IP address of traffic | ip | | sophos.xg.src_mac | Original source MAC address of traffic | keyword | | sophos.xg.src_port | Original source port of TCP and UDP traffic | integer | -| sophos.xg.srczone | Name of source zone | keyword | -| sophos.xg.srczonetype | Type of source zone, e.g., LAN | keyword | +| sophos.xg.src_zone_type | Type of source zone | keyword | | sophos.xg.ssid | ssid | keyword | | sophos.xg.start_time | Start time | date | | sophos.xg.starttime | Starttime | date | From e4879b651496281ebf1c0fdb26fc36f32b442532 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Mon, 18 Apr 2022 20:13:48 +0000 Subject: [PATCH 5/6] Updates per comments --- .../pipeline/test-sophos-xg.log-expected.json | 1177 ++++++++++++++++- .../test-xg-cfilter-new.log-expected.json | 854 +++++++++++- .../test-xg-firewall-new.log-expected.json | 998 +++++++++++++- .../ingest_pipeline/antispam.yml | 26 - .../ingest_pipeline/antivirus.yml | 30 - .../xg/elasticsearch/ingest_pipeline/atp.yml | 34 - .../elasticsearch/ingest_pipeline/cfilter.yml | 30 - .../elasticsearch/ingest_pipeline/default.yml | 17 +- .../elasticsearch/ingest_pipeline/event.yml | 12 - .../ingest_pipeline/firewall.yml | 50 - .../xg/elasticsearch/ingest_pipeline/idp.yml | 30 - .../ingest_pipeline/sandstorm.yml | 4 - .../xg/elasticsearch/ingest_pipeline/waf.yml | 26 - packages/sophos/data_stream/xg/fields/ecs.yml | 56 +- packages/sophos/docs/README.md | 48 +- 15 files changed, 3023 insertions(+), 369 deletions(-) diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index 5b16e43d588..8bf3c14116f 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -4,7 +4,11 @@ "@timestamp": "2020-05-18T14:38:48.000Z", "client": { "bytes": 0, - "port": 0 + "domain": "elasticuser.com", + "port": 0, + "user": { + "email": "firewall@firewallgate.com" + } }, "destination": { "bytes": 0, @@ -53,7 +57,10 @@ }, "server": { "bytes": 0, - "port": 0 + "port": 0, + "user": { + "email": "Sysadmin@elasticuser.com" + } }, "sophos": { "xg": { @@ -90,8 +97,24 @@ "@timestamp": "2020-05-18T14:38:49.000Z", "client": { "bytes": 0, + "domain": "constant-big.email", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 52742 + "port": 52742, + "user": { + "email": "telekommunikation@constant-big.email" + } }, "destination": { "bytes": 0, @@ -153,8 +176,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "info@pelasticuser.com" + } }, "sophos": { "xg": { @@ -206,8 +244,24 @@ "@timestamp": "2020-05-18T14:38:50.000Z", "client": { "bytes": 0, + "domain": "17buddies.net", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 51789 + "port": 51789, + "user": { + "email": "ripxfc@17buddies.net" + } }, "destination": { "bytes": 0, @@ -271,8 +325,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "hein.mueck@elasticuser.de" + } }, "sophos": { "xg": { @@ -324,8 +393,24 @@ "@timestamp": "2020-05-18T14:38:51.000Z", "client": { "bytes": 0, + "domain": "ELTOBGI.COM", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 55002 + "port": 55002, + "user": { + "email": "SHERIF.TOBGI@ELTOBGI.COM" + } }, "destination": { "bytes": 0, @@ -389,8 +474,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "info@elasticuser.com" + } }, "sophos": { "xg": { @@ -442,8 +542,12 @@ "@timestamp": "2017-01-31T18:34:41.000Z", "client": { "bytes": 0, + "domain": " iview.com", "ip": "10.198.47.71", - "port": 22420 + "port": 22420, + "user": { + "email": "gaurav1@iview.com" + } }, "destination": { "bytes": 0, @@ -496,7 +600,10 @@ "server": { "bytes": 0, "ip": "10.198.233.61", - "port": 25 + "port": 25, + "user": { + "email": " gaurav2@iview.com" + } }, "sophos": { "xg": { @@ -536,8 +643,12 @@ "@timestamp": "2018-06-06T11:10:11.000Z", "client": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", - "port": 58043 + "port": 58043, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -590,7 +701,10 @@ "server": { "bytes": 0, "ip": "10.198.234.240", - "port": 25 + "port": 25, + "user": { + "email": "pankhil1@Postman.local" + } }, "sophos": { "xg": { @@ -630,8 +744,12 @@ "@timestamp": "2018-06-06T12:50:07.000Z", "client": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", - "port": 60134 + "port": 60134, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -684,7 +802,10 @@ "server": { "bytes": 0, "ip": "10.198.17.121", - "port": 25 + "port": 25, + "user": { + "email": "pankhil1@Postman. local" + } }, "sophos": { "xg": { @@ -724,8 +845,12 @@ "@timestamp": "2018-06-06T12:51:34.000Z", "client": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", - "port": 60298 + "port": 60298, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -776,7 +901,10 @@ "server": { "bytes": 0, "ip": "10.198.16.204", - "port": 25 + "port": 25, + "user": { + "email": "pankhil1@Postman.local" + } }, "sophos": { "xg": { @@ -901,8 +1029,12 @@ "@timestamp": "2018-06-06T12:56:53.000Z", "client": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", - "port": 60608 + "port": 60608, + "user": { + "email": "pankhil1@postman.local" + } }, "destination": { "bytes": 0, @@ -955,7 +1087,10 @@ "server": { "bytes": 0, "ip": "10.198.17.121", - "port": 25 + "port": 25, + "user": { + "email": "pankhil@postman. local" + } }, "sophos": { "xg": { @@ -994,8 +1129,12 @@ "@timestamp": "2017-01-31T18:31:11.000Z", "client": { "bytes": 0, + "domain": " iview.com", "ip": "10.198.47.71", - "port": 22333 + "port": 22333, + "user": { + "email": "gaurav1@iview.com" + } }, "destination": { "bytes": 0, @@ -1048,7 +1187,10 @@ "server": { "bytes": 0, "ip": "10.198.233.61", - "port": 110 + "port": 110, + "user": { + "email": "gaurav2@iview. com" + } }, "sophos": { "xg": { @@ -1089,6 +1231,18 @@ "@timestamp": "2020-05-18T14:38:33.000Z", "client": { "bytes": 550, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 57695 }, @@ -1162,6 +1316,18 @@ }, "server": { "bytes": 1616, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -1212,6 +1378,18 @@ "@timestamp": "2020-05-18T14:38:34.000Z", "client": { "bytes": 541, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 57835 }, @@ -1285,6 +1463,18 @@ }, "server": { "bytes": 553, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -1335,8 +1525,23 @@ "@timestamp": "2020-05-18T14:38:35.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 56336 + "port": 56336, + "user": { + "email": "info@farasamed.com" + } }, "destination": { "bytes": 0, @@ -1406,8 +1611,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "info@elastic-user.local" + } }, "sophos": { "xg": { @@ -1459,10 +1679,25 @@ "@timestamp": "2020-05-18T14:38:36.000Z", "client": { "bytes": 0, - "ip": "175.16.199.1", - "port": 54693 - }, - "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 54693, + "user": { + "email": "spedizioni@divella.it" + } + }, + "destination": { "bytes": 0, "geo": { "city_name": "Changchun", @@ -1530,8 +1765,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "info@elastic-user.local" + } }, "sophos": { "xg": { @@ -1584,7 +1834,10 @@ "client": { "bytes": 0, "ip": "10.198.16.121", - "port": 56653 + "port": 56653, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -1644,7 +1897,10 @@ "server": { "bytes": 0, "ip": "10.198.234.240", - "port": 995 + "port": 995, + "user": { + "email": "pankhil@postman.local" + } }, "sophos": { "xg": { @@ -1685,7 +1941,10 @@ "client": { "bytes": 0, "ip": "10.198.16.121", - "port": 56632 + "port": 56632, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -1745,7 +2004,10 @@ "server": { "bytes": 0, "ip": "10.198.234.240", - "port": 993 + "port": 993, + "user": { + "email": "ganga@postman.local" + } }, "sophos": { "xg": { @@ -1970,7 +2232,10 @@ "@timestamp": "2017-01-31T18:44:31.000Z", "client": { "ip": "10.198.47.71", - "port": 22623 + "port": 22623, + "user": { + "name": "jsmith" + } }, "destination": { "geo": { @@ -2036,6 +2301,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -2069,6 +2346,18 @@ { "@timestamp": "2020-05-18T14:38:34.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 57579 }, @@ -2132,6 +2421,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -2174,6 +2475,18 @@ { "@timestamp": "2020-05-18T14:38:35.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 57540 }, @@ -2237,6 +2550,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -2343,6 +2668,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 0 }, @@ -2375,7 +2712,13 @@ "client": { "bytes": 0, "ip": "10.198.47.71", - "port": 9444 + "port": 9444, + "user": { + "group": { + "name": "Open Group" + }, + "name": "jsmith" + } }, "destination": { "bytes": 319007, @@ -2441,6 +2784,18 @@ }, "server": { "bytes": 319007, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 443 }, @@ -2485,6 +2840,18 @@ "@timestamp": "2017-02-01T18:20:21.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 46719 }, @@ -2550,6 +2917,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -2600,6 +2979,18 @@ "@timestamp": "2017-02-01T18:13:29.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 49128 }, @@ -2665,6 +3056,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 5228 }, @@ -2714,6 +3117,18 @@ "@timestamp": "2020-05-18T14:38:51.000Z", "client": { "bytes": 259, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 62851 }, @@ -2782,6 +3197,18 @@ }, "server": { "bytes": 168, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 443 }, @@ -2835,6 +3262,18 @@ "@timestamp": "2020-05-18T14:38:52.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 60471 }, @@ -2905,6 +3344,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 443 }, @@ -2958,6 +3409,18 @@ "@timestamp": "2020-05-18T14:38:53.000Z", "client": { "bytes": 980, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 65391 }, @@ -3026,6 +3489,18 @@ }, "server": { "bytes": 295, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -3159,7 +3634,13 @@ "client": { "bytes": 0, "ip": "192.168.73.220", - "port": 37832 + "port": 37832, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } }, "destination": { "bytes": 0, @@ -3225,6 +3706,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -3271,7 +3764,13 @@ "client": { "bytes": 0, "ip": "192.168.73.220", - "port": 46322 + "port": 46322, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } }, "destination": { "bytes": 619, @@ -3337,6 +3836,18 @@ }, "server": { "bytes": 619, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -3384,7 +3895,25 @@ { "@timestamp": "2020-05-18T14:38:57.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "group": { + "name": "Open Group" + }, + "name": "elastic.user@elastic.test.com" + } }, "ecs": { "version": "8.0.0" @@ -3472,7 +4001,22 @@ { "@timestamp": "2020-05-18T14:38:58.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "elastic.user@elastic.test.com" + } }, "destination": { "geo": { @@ -3524,6 +4068,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "sophos": { @@ -3606,15 +4162,30 @@ "status": "Expire" } }, - "tags": [ - "preserve_original_event" - ] - }, - { - "@timestamp": "2020-05-18T14:39:00.000Z", - "client": { - "ip": "175.16.199.1" - }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-05-18T14:39:00.000Z", + "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "elastic.user@elastic.test.com" + } + }, "ecs": { "version": "8.0.0" }, @@ -3798,7 +4369,22 @@ { "@timestamp": "2020-05-18T14:39:03.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "elastic.user@elastic.test.com" + } }, "ecs": { "version": "8.0.0" @@ -3882,7 +4468,10 @@ { "@timestamp": "2020-05-18T14:39:04.000Z", "client": { - "bytes": 0 + "bytes": 0, + "user": { + "name": "elastic.user@elastic.test.com" + } }, "destination": { "bytes": 0 @@ -3949,7 +4538,22 @@ { "@timestamp": "2020-05-18T14:39:05.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "hendrikl" + } }, "ecs": { "version": "8.0.0" @@ -4077,7 +4681,10 @@ { "@timestamp": "2020-05-18T14:39:07.000Z", "client": { - "ip": "10.83.234.5" + "ip": "10.83.234.5", + "user": { + "name": "admin" + } }, "ecs": { "version": "8.0.0" @@ -4138,7 +4745,22 @@ { "@timestamp": "2020-05-18T14:39:08.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "root" + } }, "ecs": { "version": "8.0.0" @@ -4304,7 +4926,13 @@ "@timestamp": "2020-05-18T14:39:20.000Z", "client": { "bytes": 0, - "ip": "10.84.234.38" + "ip": "10.84.234.38", + "user": { + "group": { + "name": "VPN.SSL.Users.elastic" + }, + "name": "elastic.user@elastic.test.com" + } }, "destination": { "bytes": 0 @@ -4626,9 +5254,22 @@ "@timestamp": "2020-05-18T14:38:37.000Z", "client": { "bytes": 459, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", "nat": { + "ip": "175.16.199.1", "port": 0 }, "packets": 6, @@ -4722,6 +5363,18 @@ }, "server": { "bytes": 606, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -4787,9 +5440,22 @@ "@timestamp": "2020-05-18T14:38:38.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", "nat": { + "ip": "175.16.199.1", "port": 0 }, "packets": 0, @@ -4883,6 +5549,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -4948,6 +5626,18 @@ "@timestamp": "2020-05-18T14:38:39.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "24:01:c7:07:2b:a2", "nat": { @@ -5039,6 +5729,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -5100,7 +5802,13 @@ "port": 0 }, "packets": 0, - "port": 60102 + "port": 60102, + "user": { + "group": { + "name": "elastic.group.local" + }, + "name": "elastic@user.local" + } }, "destination": { "bytes": 0, @@ -5226,6 +5934,18 @@ "@timestamp": "2020-05-18T14:38:41.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "c4:f7:d5:b5:47:f4", "nat": { @@ -5312,6 +6032,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -5368,13 +6100,31 @@ "@timestamp": "2020-05-18T14:38:42.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "24:01:c7:07:2b:a2", "nat": { "port": 0 }, "packets": 0, - "port": 51826 + "port": 51826, + "user": { + "group": { + "name": "elastic.group.local" + }, + "name": "elastic@user.local" + } }, "destination": { "bytes": 0, @@ -5513,6 +6263,18 @@ "@timestamp": "2020-05-18T14:38:43.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "34:db:fd:83:d8:09", "nat": { @@ -5768,7 +6530,13 @@ "port": 0 }, "packets": 0, - "port": 58543 + "port": 58543, + "user": { + "group": { + "name": "elastic.group.local" + }, + "name": "elastic@user.local" + } }, "destination": { "bytes": 0, @@ -5861,6 +6629,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -6003,6 +6783,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -6049,6 +6841,18 @@ "@timestamp": "2020-06-05T12:38:53.000Z", "client": { "bytes": 1802, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", "nat": { @@ -6141,6 +6945,18 @@ }, "server": { "bytes": 1732, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "packets": 6, "port": 88 @@ -6280,6 +7096,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -6861,6 +7689,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -7224,6 +8064,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -7267,6 +8119,18 @@ { "@timestamp": "2020-05-18T14:38:54.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 41528 }, @@ -7334,6 +8198,18 @@ "name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -7379,6 +8255,18 @@ { "@timestamp": "2020-05-18T14:38:55.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 58914 }, @@ -7446,6 +8334,18 @@ "name": "PROTOCOL-DNS named version attempt" }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 53 }, @@ -7491,6 +8391,18 @@ { "@timestamp": "2020-05-18T14:38:56.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 59476 }, @@ -7558,6 +8470,18 @@ "name": "SERVER-WEBAPP DrayTek multiple products command injection attempt" }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -7838,7 +8762,10 @@ { "@timestamp": "2017-01-31T14:52:11.000Z", "client": { - "ip": "10.198.47.112" + "ip": "10.198.47.112", + "user": { + "name": "jsmith@iview.com" + } }, "ecs": { "version": "8.0.0" @@ -7976,7 +8903,10 @@ { "@timestamp": "2017-01-31T15:28:25.000Z", "client": { - "ip": "10.198.47.112" + "ip": "10.198.47.112", + "user": { + "name": "jsmith" + } }, "ecs": { "version": "8.0.0" @@ -8056,7 +8986,10 @@ { "@timestamp": "2017-01-31T15:28:25.000Z", "client": { - "ip": "10.198.47.112" + "ip": "10.198.47.112", + "user": { + "name": "jsmith" + } }, "ecs": { "version": "8.0.0" @@ -8213,6 +9146,18 @@ "@timestamp": "2020-05-18T14:38:46.000Z", "client": { "bytes": 1419, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "destination": { @@ -8276,7 +9221,19 @@ ] }, "server": { - "bytes": 5669, + "bytes": 401, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "sophos": { @@ -8325,6 +9282,18 @@ "@timestamp": "2020-05-18T14:38:47.000Z", "client": { "bytes": 1774, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "destination": { @@ -8388,7 +9357,19 @@ ] }, "server": { - "bytes": 1357, + "bytes": 200, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "sophos": { @@ -8438,7 +9419,10 @@ "@timestamp": "2020-05-19T17:20:29.000Z", "client": { "bytes": 510, - "ip": "10.198.235.254" + "ip": "10.198.235.254", + "user": { + "name": "jsmith" + } }, "destination": { "bytes": 403, @@ -8494,7 +9478,7 @@ ] }, "server": { - "bytes": 726, + "bytes": 403, "ip": "10.198.233.48" }, "sophos": { @@ -8535,7 +9519,10 @@ "@timestamp": "2020-05-19T18:03:30.000Z", "client": { "bytes": 715, - "ip": "10.198.235.254" + "ip": "10.198.235.254", + "user": { + "name": "jsmith" + } }, "destination": { "bytes": 403, @@ -8592,7 +9579,7 @@ ] }, "server": { - "bytes": 739, + "bytes": 403, "ip": "10.198.233.48" }, "sophos": { @@ -8635,6 +9622,18 @@ "@timestamp": "2020-05-20T18:03:31.000Z", "client": { "bytes": 295, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "destination": { @@ -8699,7 +9698,19 @@ ] }, "server": { - "bytes": 5353, + "bytes": 403, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "sophos": { @@ -8840,10 +9851,29 @@ { "@timestamp": "2021-02-11T13:12:45.000Z", "client": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 0, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "11:22:33:44:55:66", "nat": { + "ip": "216.160.83.57", "port": 0 }, "packets": 0, @@ -8942,10 +9972,26 @@ "ruleset": "1" }, "server": { + "as": { + "number": 209 + }, "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "66:55:44:33:22:11", "nat": { + "ip": "216.160.83.61", "port": 0 }, "packets": 0, @@ -9017,6 +10063,7 @@ "ip": "10.146.13.30", "mac": "00:50:56:99:51:94", "nat": { + "ip": "10.8.13.110", "port": 0 }, "packets": 0, diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json index 8e1bbf0e8b0..21cb12e5a51 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json @@ -167,7 +167,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2856085, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -287,7 +305,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 1708430, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -407,7 +443,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2608205, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -532,7 +586,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -653,7 +725,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 3511, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -774,7 +864,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2569044, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -899,7 +1007,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 307, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 8089 }, @@ -1022,7 +1148,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 33728, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -1147,7 +1291,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 136, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -1274,7 +1436,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 123, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -1397,7 +1577,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 1834077, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -1517,7 +1715,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 11890, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -1742,7 +1958,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 1556, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -1862,7 +2096,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2516804, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -1982,10 +2234,28 @@ ] }, "server": { - "bytes": 1259, - "ip": "89.160.20.156", - "port": 443 - }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1259, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -2096,6 +2366,24 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 4000 }, @@ -2212,7 +2500,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -2333,7 +2639,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 4092, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -2458,7 +2782,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 83, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -2583,7 +2925,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 83, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -2703,7 +3063,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 6231, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -2828,7 +3206,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 270, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -2949,7 +3345,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2569893, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -3069,7 +3483,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 5643, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -3192,7 +3624,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 4386, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -3313,7 +3763,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2046, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -3535,7 +4003,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 6023, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -3655,7 +4141,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 8533, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -3775,7 +4279,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 4923601, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -3895,7 +4417,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 7256, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -4016,7 +4556,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2128, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -4136,7 +4694,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 4408, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -4262,7 +4838,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -4383,7 +4977,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 6770, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -4503,7 +5115,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2848, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -4623,7 +5253,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 63488, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -4743,7 +5391,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 7520, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -4863,7 +5529,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 9567, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -4983,7 +5667,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 6253, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -5108,7 +5810,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 307, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 8089 }, @@ -5231,7 +5951,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 584, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -5351,7 +6089,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2607, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -5471,7 +6227,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 5080099, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -5591,7 +6365,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 10552, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -5717,7 +6509,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 80 }, @@ -5838,7 +6648,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 1633, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -5958,7 +6786,25 @@ ] }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2901, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json index 8dcb866bdf6..f07f12ec861 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json @@ -5,6 +5,9 @@ "client": { "ip": "192.168.2.111", "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, "port": 50875 }, "destination": { @@ -87,6 +90,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 443 @@ -132,6 +153,9 @@ "client": { "ip": "192.168.2.162", "mac": "A4:FC:77:2E:BD:6F", + "nat": { + "ip": "192.168.1.2" + }, "port": 56257 }, "destination": { @@ -214,6 +238,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 443 @@ -259,6 +301,9 @@ "client": { "ip": "192.168.2.111", "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, "port": 50876 }, "destination": { @@ -341,6 +386,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 443 @@ -387,6 +450,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -475,7 +541,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -595,6 +679,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -704,6 +806,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -740,7 +860,10 @@ "@timestamp": "2021-11-16T00:25:01.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -821,6 +944,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -866,6 +1007,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -954,7 +1098,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -1074,6 +1236,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -1110,7 +1290,10 @@ "@timestamp": "2021-11-16T00:25:02.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -1191,6 +1374,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -1235,6 +1436,9 @@ "client": { "ip": "192.168.2.32", "mac": "00:50:56:9F:CD:68", + "nat": { + "ip": "192.168.1.2" + }, "port": 59346 }, "destination": { @@ -1344,6 +1548,9 @@ "client": { "ip": "192.168.2.32", "mac": "00:50:56:9F:CD:68", + "nat": { + "ip": "192.168.1.2" + }, "port": 59347 }, "destination": { @@ -1525,6 +1732,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -1563,6 +1788,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -1651,7 +1879,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -1698,7 +1944,10 @@ "@timestamp": "2021-11-16T00:25:03.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -1779,10 +2028,28 @@ "id": "12" }, "server": { - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, - "sophos": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { "xg": { "app_filter_policy_id": "6", "app_is_cloud": "FALSE", @@ -1824,6 +2091,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -1912,7 +2182,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -1959,7 +2247,10 @@ "@timestamp": "2021-11-16T00:25:04.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -2040,6 +2331,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -2085,6 +2394,9 @@ "bytes": 216, "ip": "192.168.2.122", "mac": "2C:AA:8E:2A:5C:23", + "nat": { + "ip": "192.168.1.2" + }, "packets": 4, "port": 41242 }, @@ -2175,7 +2487,25 @@ "id": "19" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 112, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2, @@ -2296,6 +2626,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "port": 443 }, @@ -2334,6 +2682,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -2422,7 +2773,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -2470,6 +2839,9 @@ "client": { "ip": "192.168.2.112", "mac": "88:57:1D:2D:19:DB", + "nat": { + "ip": "192.168.1.2" + }, "port": 47944 }, "destination": { @@ -2583,6 +2955,9 @@ "client": { "ip": "192.168.2.112", "mac": "88:57:1D:2D:19:DB", + "nat": { + "ip": "192.168.1.2" + }, "port": 55499 }, "destination": { @@ -2665,6 +3040,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 80 @@ -2709,7 +3102,10 @@ "@timestamp": "2021-11-16T00:25:05.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -2790,6 +3186,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -2835,6 +3249,9 @@ "bytes": 216, "ip": "192.168.2.118", "mac": "2C:AA:8E:1D:B6:D9", + "nat": { + "ip": "192.168.1.2" + }, "packets": 4, "port": 44720 }, @@ -2925,7 +3342,25 @@ "id": "19" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 112, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2, @@ -3078,7 +3513,10 @@ "@timestamp": "2021-11-16T00:25:07.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -3159,6 +3597,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -3202,7 +3658,10 @@ "@timestamp": "2021-11-16T00:25:08.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -3283,6 +3742,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -3328,6 +3805,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -3416,18 +3896,36 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, - "sophos": { - "xg": { - "app_filter_policy_id": "6", - "app_is_cloud": "FALSE", - "app_resolved_by": "Signature", - "con_event": "Stop", - "con_id": "407384064", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "407384064", "device_model": "SFVH", "device_name": "SFW", "dst_zone_type": "WAN", @@ -3465,6 +3963,9 @@ "bytes": 9718, "ip": "192.168.2.111", "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, "packets": 31, "port": 50872 }, @@ -3555,7 +4056,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 4992, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 31, @@ -3609,6 +4128,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -3697,7 +4219,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -3744,7 +4284,10 @@ "@timestamp": "2021-11-16T00:25:09.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -3825,6 +4368,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -3870,6 +4431,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -3958,7 +4522,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -4006,6 +4588,9 @@ "client": { "ip": "192.168.2.16", "mac": "00:50:56:9F:B1:FE", + "nat": { + "ip": "192.168.1.2" + }, "port": 63043 }, "destination": { @@ -4116,6 +4701,9 @@ "bytes": 2297, "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, "packets": 20, "port": 21957 }, @@ -4206,7 +4794,25 @@ "id": "11" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 2229, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 22, @@ -4258,7 +4864,10 @@ "@timestamp": "2021-11-16T00:25:10.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -4339,6 +4948,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -4384,6 +5011,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -4472,7 +5102,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -4521,6 +5169,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -4609,7 +5260,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -4656,7 +5325,10 @@ "@timestamp": "2021-11-16T00:25:11.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -4737,6 +5409,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -4782,6 +5472,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -4870,7 +5563,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -4918,6 +5629,9 @@ "client": { "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, "port": 59335 }, "destination": { @@ -5000,6 +5714,24 @@ "id": "11" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 443 @@ -5046,6 +5778,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -5134,7 +5869,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -5181,7 +5934,10 @@ "@timestamp": "2021-11-16T00:25:12.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -5262,6 +6018,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -5305,7 +6079,10 @@ "@timestamp": "2021-11-16T00:25:12.000Z", "client": { "ip": "192.168.2.105", - "mac": "54:60:09:FD:33:EC" + "mac": "54:60:09:FD:33:EC", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -5386,6 +6163,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -5430,6 +6225,9 @@ "client": { "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, "port": 62171 }, "destination": { @@ -5512,6 +6310,24 @@ "id": "11" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 443 @@ -5558,6 +6374,9 @@ "bytes": 1030, "ip": "192.168.2.110", "mac": "34:C9:3D:23:51:C2", + "nat": { + "ip": "192.168.1.2" + }, "packets": 11, "port": 53271 }, @@ -5648,7 +6467,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 6770, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 13, @@ -5701,6 +6538,9 @@ "client": { "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, "port": 52915 }, "destination": { @@ -5783,6 +6623,24 @@ "id": "11" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 443 @@ -5827,7 +6685,10 @@ "@timestamp": "2021-11-16T00:25:13.000Z", "client": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22" + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } }, "destination": { "as": { @@ -5908,6 +6769,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33" }, @@ -5953,6 +6832,9 @@ "bytes": 168, "ip": "192.168.2.121", "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, "packets": 2 }, "destination": { @@ -6041,7 +6923,25 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "packets": 2 @@ -6089,6 +6989,9 @@ "client": { "ip": "192.168.2.105", "mac": "54:60:09:FD:33:EC", + "nat": { + "ip": "192.168.1.2" + }, "port": 34141 }, "destination": { @@ -6171,6 +7074,24 @@ "id": "12" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 53 @@ -6220,6 +7141,9 @@ "client": { "ip": "192.168.2.41", "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, "port": 51751 }, "destination": { @@ -6302,6 +7226,24 @@ "id": "11" }, "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156", "mac": "00:50:56:9F:39:33", "port": 443 diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml index bd7e154cbfb..3d10bd560a3 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml @@ -52,10 +52,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - ignore_empty_value: true - convert: field: sophos.xg.dst_port target_field: destination.port @@ -63,15 +59,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - ignore_empty_value: true -- convert: - field: server.port - type: long - ignore_failure: true - ignore_missing: true - rename: field: sophos.xg.to_email_address target_field: destination.user.email @@ -84,10 +71,6 @@ processors: field: sophos.xg.src_ip target_field: source.ip ignore_missing: true -- set: - field: client.ip - value: '{{source.ip}}' - ignore_empty_value: true - convert: field: sophos.xg.src_port target_field: source.port @@ -95,15 +78,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - ignore_empty_value: true -- convert: - field: client.port - type: long - ignore_failure: true - ignore_missing: true - rename: field: sophos.xg.from_email_address target_field: source.user.email diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml index ef78f6947b3..1169b490940 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml @@ -56,10 +56,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.dst_port target_field: destination.port @@ -67,17 +63,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" - rename: field: sophos.xg.to_email_address target_field: destination.user.email @@ -92,10 +77,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.src_port target_field: source.port @@ -103,17 +84,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml index 23871cbe5a7..23eb4f07460 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml @@ -46,10 +46,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.destinationip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.dst_port target_field: destination.port @@ -57,17 +53,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" ############################### ## ECS Client/Source Mapping ## @@ -77,19 +62,11 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.sourceip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - rename: field: sophos.xg.src_ip target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.src_port target_field: source.port @@ -97,17 +74,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml index 2e18b0a1aa0..06dd579e10f 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml @@ -56,10 +56,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.dst_port target_field: destination.port @@ -67,17 +63,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" ############################### ## ECS Client/Source Mapping ## @@ -87,10 +72,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.src_port target_field: source.port @@ -98,17 +79,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml index daf00d2a22f..484ec067050 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -282,10 +282,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.bytes_sent != null" -- set: - field: client.bytes - copy_from: source.bytes - ignore_empty_value: true - convert: field: sophos.xg.recv_bytes target_field: destination.bytes @@ -300,10 +296,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.bytes_received != null" -- set: - field: server.bytes - copy_from: destination.bytes - ignore_empty_value: true ############################### ## Product Specific Pipelines ## @@ -341,6 +333,15 @@ processors: - pipeline: name: '{{ IngestPipeline "wifi" }}' if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" + +- set: + field: server + copy_from: destination + ignore_empty_value: true +- set: + field: client + copy_from: source + ignore_empty_value: true ############# ## Cleanup ## ############# diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml index 288d80f7666..8f479f84a00 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml @@ -76,10 +76,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.localinterfaceip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" ############################### ## ECS Client/Source Mapping ## @@ -94,19 +90,11 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.remoteinterfaceip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - rename: field: sophos.xg.src_mac target_field: source.mac ignore_missing: true if: "ctx.sophos?.xg?.src_mac != null" -- set: - field: client.mac - value: '{{source.mac}}' - if: "ctx.source?.mac != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml index 5d03f43e046..6f5a6d0b7cd 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml @@ -60,10 +60,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - copy_from: destination.ip - ignore_empty_value: true - rename: field: sophos.xg.tran_dst_ip target_field: destination.nat.ip @@ -81,10 +77,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - copy_from: destination.port - ignore_empty_value: true - convert: field: sophos.xg.tran_dst_port target_field: destination.nat.port @@ -92,19 +84,11 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.tran_dst_port != null" -- set: - field: server.nat.port - copy_from: destination.nat.port - ignore_empty_value: true - rename: field: sophos.xg.dst_mac target_field: destination.mac ignore_missing: true if: "ctx.sophos?.xg?.dst_mac != null" -- set: - field: server.mac - copy_from: destination.mac - ignore_empty_value: true - convert: field: sophos.xg.recv_pkts target_field: destination.packets @@ -119,10 +103,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.packets_received !=null" -- set: - field: server.packets - copy_from: destination.packets - ignore_empty_value: true ############################### ## ECS Client/Source Mapping ## @@ -132,10 +112,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - rename: field: sophos.xg.tran_src_ip target_field: source.nat.ip @@ -158,17 +134,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - convert: field: sophos.xg.tran_src_port target_field: source.nat.port @@ -176,26 +141,11 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.tran_src_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" - rename: field: sophos.xg.src_mac target_field: source.mac ignore_missing: true if: "ctx.sophos?.xg?.src_mac != null" -- set: - field: client.mac - value: '{{source.mac}}' - if: "ctx.source?.mac != null" - trim: field: sophos.xg.sent_pkts ignore_missing: true diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml index ca034201de5..dcdc0be4fa9 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml @@ -41,10 +41,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.dst_port target_field: destination.port @@ -52,17 +48,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" ############################### ## ECS Client/Source Mapping ## @@ -72,10 +57,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.src_port target_field: source.port @@ -83,17 +64,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml index 07040415e9c..392b4c768d9 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml @@ -65,10 +65,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml index 10f3b4c79f2..c1a904f35ce 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml @@ -56,10 +56,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.localip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.bytessent target_field: destination.bytes @@ -67,13 +63,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.bytessent != null" -- convert: - field: sophos.xg.bytessent - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytessent != null" ############################### ## ECS Client/Source Mapping ## @@ -83,10 +72,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.sourceip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.bytesrcv target_field: source.bytes @@ -94,17 +79,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.bytesrcv != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/fields/ecs.yml b/packages/sophos/data_stream/xg/fields/ecs.yml index 6800fb6294f..f950a9f86bd 100644 --- a/packages/sophos/data_stream/xg/fields/ecs.yml +++ b/packages/sophos/data_stream/xg/fields/ecs.yml @@ -1,15 +1,46 @@ +- external: ecs + name: client.as.number +- external: ecs + name: client.as.organization.name - external: ecs name: client.bytes +- external: ecs + name: client.domain +- external: ecs + name: client.geo.city_name +- external: ecs + name: client.geo.continent_name +- external: ecs + name: client.geo.country_iso_code +- external: ecs + name: client.geo.country_name +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- external: ecs + name: client.geo.name +- external: ecs + name: client.geo.region_iso_code +- external: ecs + name: client.geo.region_name - external: ecs name: client.ip - external: ecs name: client.mac +- external: ecs + name: client.nat.ip - external: ecs name: client.nat.port - external: ecs name: client.packets - external: ecs name: client.port +- external: ecs + name: client.user.email +- external: ecs + name: client.user.group.name +- external: ecs + name: client.user.name - external: ecs name: destination.as.number - external: ecs @@ -163,12 +194,35 @@ name: rule.name - external: ecs name: rule.ruleset +- external: ecs + name: server.as.number +- external: ecs + name: server.as.organization.name - external: ecs name: server.bytes +- external: ecs + name: server.geo.city_name +- external: ecs + name: server.geo.continent_name +- external: ecs + name: server.geo.country_iso_code +- external: ecs + name: server.geo.country_name +- description: Longitude and latitude. + name: server.geo.location + type: geo_point +- external: ecs + name: server.geo.name +- external: ecs + name: server.geo.region_iso_code +- external: ecs + name: server.geo.region_name - external: ecs name: server.ip - external: ecs name: server.mac +- external: ecs + name: server.nat.ip - external: ecs name: server.nat.port - external: ecs @@ -176,7 +230,7 @@ - external: ecs name: server.port - external: ecs - name: server.mac + name: server.user.email - external: ecs name: source.as.number - external: ecs diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index 7bc5c3758da..db22faea67f 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -38,7 +38,6 @@ The `utm` dataset collects Astaro Security Gateway logs. | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | @@ -74,7 +73,6 @@ The `utm` dataset collects Astaro Security Gateway logs. | file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | file.name | Name of the file including the extension, without the directory. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | file.type | File type (file, dir, or symlink). | keyword | | geo.city_name | City name. | keyword | @@ -113,15 +111,11 @@ The `utm` dataset collects Astaro Security Gateway logs. | observer.vendor | Vendor name of the observer. | keyword | | observer.version | Observer version. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | | process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | process.parent.pid | Process id. | long | | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | process.pid | Process id. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | @@ -806,7 +800,6 @@ The `utm` dataset collects Astaro Security Gateway logs. | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | @@ -823,19 +816,15 @@ The `utm` dataset collects Astaro Security Gateway logs. | tags | List of keywords used to tag each event. | keyword | | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | | url.path | Path of the request, such as "/search". | wildcard | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | | url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | | user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | ### XG log @@ -946,12 +935,27 @@ An example event for `xg` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | | client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | | client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | | client.packets | Packets sent from the client to the server. | long | | client.port | Port of the client. | long | +| client.user.email | User email address. | keyword | +| client.user.group.name | Name of the group. | keyword | +| client.user.name | Short name or login of the user. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -970,7 +974,6 @@ An example event for `xg` looks as following: | data_stream.type | Data stream type. | constant_keyword | | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | @@ -1030,7 +1033,6 @@ An example event for `xg` looks as following: | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -1067,12 +1069,24 @@ An example event for `xg` looks as following: | rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | | rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| server.as.organization.name | Organization name. | keyword | | server.bytes | Bytes sent from the server to the client. | long | +| server.geo.city_name | City name. | keyword | +| server.geo.continent_name | Name of the continent. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.country_name | Country name. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| server.geo.region_iso_code | Region ISO code. | keyword | +| server.geo.region_name | Region name. | keyword | | server.ip | IP address of the server (IPv4 or IPv6). | ip | | server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | | server.packets | Packets sent from the server to the client. | long | | server.port | Port of the server. | long | +| server.user.email | User email address. | keyword | | sophos.xg.Configuration | Configuration | float | | sophos.xg.FTP_direction | Direction of FTP transfer: Upload or Download | keyword | | sophos.xg.FTP_url | FTP URL from which virus was downloaded | keyword | @@ -1284,7 +1298,6 @@ An example event for `xg` looks as following: | sophos.xg.xss | related XSS caught by the WAF | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | @@ -1304,15 +1317,12 @@ An example event for `xg` looks as following: | source.user.email | User email address. | keyword | | source.user.group.name | Name of the group. | keyword | | source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | tags | List of keywords used to tag each event. | keyword | | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | | url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | | url.password | Password of the request. | keyword | | url.path | Path of the request, such as "/search". | wildcard | | url.port | Port of the request, such as 443. | long | @@ -1324,17 +1334,13 @@ An example event for `xg` looks as following: | url.username | Username of the request. | keyword | | user.email | User email address. | keyword | | user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | | user_agent.device.name | Name of the device. | keyword | | user_agent.name | Name of the user agent. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | | user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | | user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | | user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | | user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | user_agent.os.version | Operating system version as a raw string. | keyword | | user_agent.version | Version of the user agent. | keyword | From 9e25bad6309733a4c21cf355d34ac008c1e48991 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 18 Apr 2022 18:16:08 -0400 Subject: [PATCH 6/6] Update readme --- packages/sophos/docs/README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index db22faea67f..88e9b8e8b44 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -38,6 +38,7 @@ The `utm` dataset collects Astaro Security Gateway logs. | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | @@ -73,6 +74,7 @@ The `utm` dataset collects Astaro Security Gateway logs. | file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | file.name | Name of the file including the extension, without the directory. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | file.type | File type (file, dir, or symlink). | keyword | | geo.city_name | City name. | keyword | @@ -111,11 +113,15 @@ The `utm` dataset collects Astaro Security Gateway logs. | observer.vendor | Vendor name of the observer. | keyword | | observer.version | Observer version. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | | process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | process.parent.pid | Process id. | long | | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | process.pid | Process id. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | @@ -800,6 +806,7 @@ The `utm` dataset collects Astaro Security Gateway logs. | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | @@ -816,15 +823,19 @@ The `utm` dataset collects Astaro Security Gateway logs. | tags | List of keywords used to tag each event. | keyword | | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | | url.path | Path of the request, such as "/search". | wildcard | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | | url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | | user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | ### XG log @@ -937,6 +948,7 @@ An example event for `xg` looks as following: | @timestamp | Event timestamp. | date | | client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | | client.bytes | Bytes sent from the client to the server. | long | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.geo.city_name | City name. | keyword | @@ -956,6 +968,7 @@ An example event for `xg` looks as following: | client.user.email | User email address. | keyword | | client.user.group.name | Name of the group. | keyword | | client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -974,6 +987,7 @@ An example event for `xg` looks as following: | data_stream.type | Data stream type. | constant_keyword | | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | @@ -1033,6 +1047,7 @@ An example event for `xg` looks as following: | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -1071,6 +1086,7 @@ An example event for `xg` looks as following: | rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | | server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | server.as.organization.name | Organization name. | keyword | +| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | | server.bytes | Bytes sent from the server to the client. | long | | server.geo.city_name | City name. | keyword | | server.geo.continent_name | Name of the continent. | keyword | @@ -1298,6 +1314,7 @@ An example event for `xg` looks as following: | sophos.xg.xss | related XSS caught by the WAF | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | @@ -1317,12 +1334,15 @@ An example event for `xg` looks as following: | source.user.email | User email address. | keyword | | source.user.group.name | Name of the group. | keyword | | source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | tags | List of keywords used to tag each event. | keyword | | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | | url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | | url.password | Password of the request. | keyword | | url.path | Path of the request, such as "/search". | wildcard | | url.port | Port of the request, such as 443. | long | @@ -1334,13 +1354,17 @@ An example event for `xg` looks as following: | url.username | Username of the request. | keyword | | user.email | User email address. | keyword | | user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | | user_agent.device.name | Name of the device. | keyword | | user_agent.name | Name of the user agent. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | | user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | | user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | | user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | | user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | user_agent.os.version | Operating system version as a raw string. | keyword | | user_agent.version | Version of the user agent. | keyword |