diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index fb3988eae0e..19812ea66e2 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -132,6 +132,7 @@ /packages/snort @elastic/security-external-integrations /packages/snyk @elastic/security-external-integrations /packages/sonicwall @elastic/security-external-integrations +/packages/sonicwall_firewall @elastic/security-external-integrations /packages/sophos @elastic/security-external-integrations /packages/spring_boot @elastic/obs-service-integrations /packages/squid @elastic/security-external-integrations diff --git a/packages/sonicwall/_dev/build/docs/README.md b/packages/sonicwall/_dev/build/docs/README.md index f3ff15666c2..975ac582b59 100644 --- a/packages/sonicwall/_dev/build/docs/README.md +++ b/packages/sonicwall/_dev/build/docs/README.md @@ -1,4 +1,7 @@ -# Sonicwall integration +# Sonicwall integration (Deprecated) + +_This integration is deprecated. Please use the SonicWall Firewall +integration instead._ This integration is for Sonicwall device's logs. It includes the following datasets for receiving logs over syslog or read from a file: diff --git a/packages/sonicwall/changelog.yml b/packages/sonicwall/changelog.yml index bca15bd94e2..87dad420e4a 100644 --- a/packages/sonicwall/changelog.yml +++ b/packages/sonicwall/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.8.2" + changes: + - description: Mark package as deprecated. Please migrate to the sonicwall_firewall package. + type: enhancement + link: https://github.com/elastic/integrations/pull/3365 - version: "0.8.1" changes: - description: Format source.mac and destination.mac as per ECS. diff --git a/packages/sonicwall/docs/README.md b/packages/sonicwall/docs/README.md index 3f2bbbb93dd..2cfbe9f5654 100644 --- a/packages/sonicwall/docs/README.md +++ b/packages/sonicwall/docs/README.md @@ -1,4 +1,7 @@ -# Sonicwall integration +# Sonicwall integration (Deprecated) + +_This integration is deprecated. Please use the SonicWall Firewall +integration instead._ This integration is for Sonicwall device's logs. It includes the following datasets for receiving logs over syslog or read from a file: diff --git a/packages/sonicwall/manifest.yml b/packages/sonicwall/manifest.yml index 80ca19a62db..262ab60e52a 100644 --- a/packages/sonicwall/manifest.yml +++ b/packages/sonicwall/manifest.yml @@ -1,8 +1,8 @@ format_version: 1.0.0 name: sonicwall title: Sonicwall-FW Logs -version: "0.8.1" -description: Collect logs from Sonicwall devices with Elastic Agent. +version: "0.8.2" +description: Deprecated. Collect logs from Sonicwall devices with Elastic Agent. categories: ["network", "security"] release: experimental license: basic diff --git a/packages/sonicwall_firewall/_dev/build/build.yml b/packages/sonicwall_firewall/_dev/build/build.yml new file mode 100644 index 00000000000..d61527283ec --- /dev/null +++ b/packages/sonicwall_firewall/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.2 diff --git a/packages/sonicwall_firewall/_dev/build/docs/README.md b/packages/sonicwall_firewall/_dev/build/docs/README.md new file mode 100644 index 00000000000..fb7ebb748ff --- /dev/null +++ b/packages/sonicwall_firewall/_dev/build/docs/README.md @@ -0,0 +1,79 @@ +# SonicWall Firewall Integration + +This integration collects syslog messages from SonicWall firewalls. It has been tested with Enhanced +Syslog logs from SonicOS 6.5 and 7.0 as described in the [Log Events reference guide.](https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-4-log-events-reference-guide.pdf) + +## Configuration + +Configure a Syslog Server in your firewall using the following options: + - **Name or IP Address:** The address where your Elastic Agent running this integration is reachable. + - **Port:** The Syslog port (UDP) configured in this integration. + - **Server Type:** Syslog Server. + - **Syslog Format:** Enhanced Syslog. + - **Syslog ID:** Change this default (`firewall`) if you need to differentiate between multiple firewalls. + This value will be stored in the `observer.name` field. + +It's recommended to enable the **Display UTC in logs (instead of local time)** setting under the +_Device > Settings > Time_ configuration menu. Otherwise you'll have to configure the **Timezone Offset** +setting of this integration to match the timezone configured in your firewall. + +Ensure proper connectivity between your firewall and Elastic Agent. + +## Supported messages + +This integration features generic support for enhanced syslog messages produced by SonicOS and features +more detailed ECS enrichment for the following messages: + +| Category | Subcategory | Message IDs | +|----------|-------------|-------------| +| Firewall | Access Rules | 440-442, 646, 647, 734, 735 | +| Firewall | Application Firewall | 793, 1654 | +| Firewall Settings | Advanced | 428, 1473, 1573, 1576, 1590 | +| Firewall Settings | Checksum Enforcement | 883-886, 1448, 1449 | +| Firewall Settings | FTP | 446, 527, 528, 538 | +| Firewall Settings | Flood Protection | 25, 856-860, 862-864, 897, 898, 901, 904, 905, 1180, 1213, 1214, 1366, 1369, 1450-1452 | +| Firewall Settings | Multicast | 683, 690, 694, 1233 | +| Firewall Settings | SSL Control | 999, 1001-1006, 1081 | +| High Availability | Cluster | 1149, 1152 | +| Log | Configuration Auditing | 1382, 1383, 1674 | +| Network | ARP | 45, 815, 1316 | +| Network | DNS | 1098, 1099 | +| Network | DNS Security | 1593 | +| Network | ICMP | 38, 63, 175, 182, 188, 523, 597, 598, 1254-1257, 1431, 1433, 1458 | +| Network | IP | 28, 522, 910, 1301-1303, 1429, 1430 | +| Network | IPcomp | 651-653 | +| Network | IPv6 Tunneling | 1253 | +| Network | Interfaces | 58 | +| Network | NAT | 339, 1197, 1436 | +| Network | NAT Policy | 1313-1315 | +| Network | Network Access | 41, 46, 98, 347, 524, 537, 590, 714, 1304 | +| Network | TCP | 36, 48, 173, 181, 580, 708, 709, 712, 713, 760, 887-896, 1029-1031, 1384, 1385, 1628, 1629 | +| Security Services | Anti-Spyware | 794-796 | +| Security Services | Anti-Virus | 123-125, 159, 408, 482 | +| Security Services | Application Control | 1154, 1155 | +| Security Services | Attacks | 22, 23, 27, 81-83, 177-179, 267, 606, 1373-1376, 1387, 1471 | +| Security Services | Botnet Filter | 1195, 1200, 1201, 1476, 1477, 1518, 1519 | +| Security Services | Content Filter | 14, 16, 1599-1601 | +| Security Services | Geo-IP Filter | 1198, 1199, 1474, 1475 | +| Security Services | IDP | 789, 790 | +| Security Services | IPS | 608, 609 | +| Security Services | Next-Gen Anti-Virus | 1559-1562 | +| Security Services | RBL Filter | 797, 798 | +| System | Administration | 340, 341 | +| System | Cloud Backup | 1511-1516 | +| System | Restart | 93-95, 164, 599-601, 1046, 1047, 1392, 1393 | +| System | Settings | 573, 574, 1049, 1065, 1066, 1160, 1161, 1268, 1269, 1336-1340, 1432, 1494, 1520, 1521, 1565-1568, 1636, 1637 | +| System | Status | 4, 53, 521, 1107, 1196, 1332, 1495, 1496 | +| Users | Authentication Access | 24, 29-35, 199, 200, 235-238, 246, 261-265, 328, 329, 438, 439, 486, 506-509, 520, 549-551, 557-562, 564, 583, 728, 729, 759, 986, 987, 994-998, 1008, 1035, 1048, 1080, 1117-1124, 1157, 1158, 1243, 1333-1335, 1341, 1342, 1517, 1570-1572, 1585, 1627, 1655, 1672 | +| Users | Radius Authentication | 243-245, 744-751, 753-757, 1011 | +| Users | SSO Agent Authentication | 988-991 | +| VPN | DHCP Relay | 229 | +| Wireless | RF Monitoring | 879 | +| Wireless | WLAN | 1363 | +| Wireless | WLAN IDS | 546, 548 | + +## Logs + +{{event "log"}} + +{{fields "log"}} diff --git a/packages/sonicwall_firewall/_dev/deploy/docker/docker-compose.yml b/packages/sonicwall_firewall/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..a54aa0d278d --- /dev/null +++ b/packages/sonicwall_firewall/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,14 @@ +version: '2.3' +services: + sonicwall_firewall-logfile: + image: alpine + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: /bin/sh -c "cp /sample_logs/* /var/log/" + sonicwall_firewall-syslog: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/log.log" diff --git a/packages/sonicwall_firewall/_dev/deploy/docker/sample_logs/log.log b/packages/sonicwall_firewall/_dev/deploy/docker/sample_logs/log.log new file mode 100644 index 00000000000..8769bd9c918 --- /dev/null +++ b/packages/sonicwall_firewall/_dev/deploy/docker/sample_logs/log.log @@ -0,0 +1,146 @@ +<134> id=firewall sn=0040103CE114 time="2022-05-16 15:22:26 UTC" fw=10.0.0.96 pri=6 c=1024 m=537 msg="Connection Closed" app=12 sess="Web" n=795 usr="admin" src=81.2.69.193:65055:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=1930 rcvd=1545 spkt=11 rpkt=7 dpi=0 cdur=2133 rule="Default Access Rule" fw_action="NA" +<134> id=firewall sn=0040103CE114 time="2022-05-16 15:22:26 UTC" fw=10.0.0.96 pri=6 c=1024 m=537 msg="Connection Closed" app=12 sess="Web" n=797 usr="admin" src=81.2.69.193:65056:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=2146 rcvd=1611 spkt=11 rpkt=9 dpi=0 cdur=2483 rule="Default Access Rule" fw_action="NA" +<134> id=firewall sn=0040103CE114 time="2022-05-16 15:22:27 UTC" fw=10.0.0.96 pri=6 c=1024 m=537 msg="Connection Closed" app=12 sess="Web" n=799 usr="admin" src=81.2.69.193:65057:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=1919 rcvd=1547 spkt=10 rpkt=7 dpi=0 cdur=2183 rule="Default Access Rule" fw_action="NA" +<134> id=firewall sn=0040103CE114 time="2022-05-16 15:22:28 UTC" fw=10.0.0.96 pri=6 c=262144 m=98 msg="Connection Opened" app=12 sess="Web" n=780 usr="admin" src=81.2.69.193:65058:X1 dst=10.0.0.96:443:X1 proto=tcp/https sent=64 dpi=0 fw_action="NA" +<133> id=firewall sn=0040103CE114 time="2022-05-16 15:22:28 UTC" fw=10.0.0.96 pri=5 c=16 m=526 msg="Web management request allowed" app=12 sess="Web" n=927 usr="admin" src=81.2.69.193:65058:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 dstMac=06:6e:64:57:48:02 proto=tcp/https uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" rule="15 (WAN->WAN)" fw_action="mgmt" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:39" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64889:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=692 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:39" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64889:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=694 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:39" fw=10.0.0.96 pri=6 c=16 gcat=2 m=1382 src=81.2.69.193:64889 dst=10.0.0.96:443:X1 usr="admin" sess="API" msg="Configuration succeeded: 'Logging Level' , changed from [WARNING], changed to [DEBUG]" n=35 fw_action="NA" auditId=34 tranxId=26 userMode="Full" oldValue="WARNING" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:39" fw=10.0.0.96 pri=6 c=16 gcat=2 m=1382 src=81.2.69.193:64889 dst=10.0.0.96:443:X1 usr="admin" sess="API" msg="Configuration succeeded: 'Alert Level' , changed from [ALERT], changed to [WARNING]" n=37 fw_action="NA" auditId=35 tranxId=27 userMode="Full" oldValue="ALERT" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:41" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64888:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=2463 rcvd=1691 spkt=12 rpkt=10 cdur=2566 sess="Web" rule="Default Access Rule" app=12 n=449 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:41" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64889:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1935 rcvd=1577 spkt=10 rpkt=8 cdur=2183 sess="Web" rule="Default Access Rule" app=12 n=451 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:41" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=89.160.20.156:29675:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334100 rule="Default Access Rule" app=42 n=453 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64890:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=460 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64890:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=639 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64891:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=462 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64891:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=641 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64892:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=464 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64892:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=643 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64891:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=696 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64891:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=698 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64890:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=700 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64890:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=702 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:43" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64892:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=704 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:43" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64892:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=706 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:44" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64893:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=466 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:44" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64893:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=645 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:44" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64891:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1871 rcvd=1378 spkt=10 rpkt=7 cdur=2366 sess="Web" rule="Default Access Rule" app=12 n=455 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:44" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64890:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1915 rcvd=3526 spkt=11 rpkt=8 cdur=2366 sess="Web" rule="Default Access Rule" app=12 n=457 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:45" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64893:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=708 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:45" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64893:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=710 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:45" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64892:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1896 rcvd=1279 spkt=11 rpkt=8 cdur=3450 sess="Web" rule="Default Access Rule" app=12 n=459 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64893:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=8740 rcvd=256305 spkt=159 rpkt=181 cdur=2766 sess="Web" rule="Default Access Rule" app=12 n=461 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64894:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=468 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64894:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=647 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64894:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=712 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64894:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=714 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64895:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=470 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64895:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=649 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64895:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=716 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64895:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=718 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:49" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64894:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=3259 rcvd=16551 spkt=18 rpkt=18 cdur=2183 sess="Web" rule="Default Access Rule" app=12 n=463 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:49" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64895:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1868 rcvd=1545 spkt=10 rpkt=7 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=465 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:51" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=89.160.20.156:53022:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334050 rule="Default Access Rule" app=42 n=467 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64896:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=472 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64896:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=651 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64897:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=474 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64897:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=653 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64896:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=720 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64896:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=722 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64897:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=724 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64897:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=726 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:53" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64898:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=476 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:53" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64898:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=655 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64898:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=728 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64898:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=730 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64899:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=478 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64899:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=657 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64896:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1931 rcvd=3588 spkt=11 rpkt=9 cdur=2133 sess="Web" rule="Default Access Rule" app=12 n=469 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64897:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1887 rcvd=1394 spkt=10 rpkt=7 cdur=2133 sess="Web" rule="Default Access Rule" app=12 n=471 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:55" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64899:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=732 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:55" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64899:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=734 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:56" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64898:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1866 rcvd=1301 spkt=10 rpkt=8 cdur=2116 sess="Web" rule="Default Access Rule" app=12 n=473 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:57" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64899:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=8392 rcvd=253313 spkt=152 rpkt=179 cdur=2916 sess="Web" rule="Default Access Rule" app=12 n=475 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64901:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=480 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64901:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=659 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64901:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=736 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64901:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=738 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64902:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=482 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64902:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=661 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64903:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=484 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64903:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=663 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64903:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=740 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64903:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=742 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64902:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=744 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64902:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=746 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64904:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=486 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64904:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=665 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64904:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=748 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64904:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=750 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64905:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=488 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64905:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=667 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64901:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=3243 rcvd=16551 spkt=18 rpkt=18 cdur=2216 sess="Web" rule="Default Access Rule" app=12 n=477 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64903:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1871 rcvd=1394 spkt=10 rpkt=7 cdur=2133 sess="Web" rule="Default Access Rule" app=12 n=479 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64902:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1915 rcvd=3526 spkt=11 rpkt=8 cdur=2133 sess="Web" rule="Default Access Rule" app=12 n=481 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:05" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64905:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=752 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:05" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64905:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=754 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:06" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64904:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1866 rcvd=1255 spkt=10 rpkt=7 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=483 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:07" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.145:43466:X1 dst=10.0.0.96:443:X1 proto=tcp/https sent=60 app=12 n=490 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:07" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=60 rule="15 (WAN->WAN)" app=12 note="policyCheck" n=669 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:07" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64905:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=8438 rcvd=253369 spkt=153 rpkt=180 cdur=3283 sess="Web" rule="Default Access Rule" app=12 n=485 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:08" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=756 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:08" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=758 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:08" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=760 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:10" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https sent=1172 rcvd=2121 spkt=11 rpkt=8 cdur=3050 rule="Default Access Rule" app=12 n=487 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:12" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64906:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=492 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:12" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64906:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=671 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:12" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64907:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=494 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:12" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64907:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=673 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:13" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64906:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=762 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:13" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64906:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=764 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:13" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64907:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=766 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:13" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64907:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=768 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64908:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=496 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64908:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=675 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64908:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=770 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64908:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=772 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64909:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=498 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64909:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=677 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:15" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64906:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1885 rcvd=3542 spkt=10 rpkt=8 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=489 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:15" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64907:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1887 rcvd=1378 spkt=10 rpkt=7 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=491 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:15" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64909:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=774 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:15" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64909:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=776 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:16" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64908:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1850 rcvd=1301 spkt=10 rpkt=8 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=493 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:16" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=89.160.20.156:43808:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334116 rule="Default Access Rule" app=42 n=495 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64909:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=8438 rcvd=253354 spkt=153 rpkt=180 cdur=3266 sess="Web" rule="Default Access Rule" app=12 n=497 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64910:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=500 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64910:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=679 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64910:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=778 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64910:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=780 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:19" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64910:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=3243 rcvd=16567 spkt=18 rpkt=18 cdur=2183 sess="Web" rule="Default Access Rule" app=12 n=499 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=10.0.0.96:54604:X1 natSrc=10.0.0.96:41479 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 n=502 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54604:X1 srcZone=Untrusted natSrc=10.0.0.96:41479 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=151 fw_action="forward" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=10.0.0.96:54606:X1 natSrc=10.0.0.96:58515 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 n=504 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrc=10.0.0.96:58515 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=89.160.20.156:27465:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334083 rule="Default Access Rule" app=42 n=501 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64912:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=506 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64912:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=681 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64913:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=508 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64913:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=683 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64913:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=782 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64913:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=784 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64912:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=786 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64912:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=788 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=10.0.0.96:54604:X1 natSrc=10.0.0.96:41479 dstMac=06:08:25:81:11:30 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=350 rcvd=916 spkt=5 rpkt=5 cdur=2050 app=9 n=503 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=10.0.0.96:54606:X1 natSrc=10.0.0.96:58515 dstMac=06:08:25:81:11:30 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=334 rcvd=694 spkt=5 rpkt=5 cdur=2033 app=9 n=505 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64914:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=510 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64914:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=685 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64915:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=512 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64915:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=687 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64914:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=790 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64914:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=792 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:25" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64913:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1887 rcvd=1378 spkt=10 rpkt=7 cdur=2150 sess="Web" rule="Default Access Rule" app=12 n=507 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:25" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64912:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1931 rcvd=3526 spkt=11 rpkt=8 cdur=2150 sess="Web" rule="Default Access Rule" app=12 n=509 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:25" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64915:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=794 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:25" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64915:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=796 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:26" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64914:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1850 rcvd=1239 spkt=10 rpkt=7 cdur=2116 sess="Web" rule="Default Access Rule" app=12 n=511 fw_action="NA" dpi=0 \ No newline at end of file diff --git a/packages/sonicwall_firewall/changelog.yml b/packages/sonicwall_firewall/changelog.yml new file mode 100644 index 00000000000..81d6381daf0 --- /dev/null +++ b/packages/sonicwall_firewall/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial beta version of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/3365 diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..72e01d2586b --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +fields: + tags: + - preserve_original_event + _conf: + tz_offset: "+02:00" diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-drizzthacker.log b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-drizzthacker.log new file mode 100644 index 00000000000..88557658ea6 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-drizzthacker.log @@ -0,0 +1,32 @@ +Apr 29 10:04:36 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-29 10:05:12" fw=172.16.0.2 pri=6 c=262144 m=98 msg="Connection Opened" n=15243934 src=172.16.2.2:4522:X0 dst=81.2.69.143:443:X1 proto=tcp/https sent=60 +Apr 29 10:05:16 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-29 10:05:52" fw=172.16.0.2 pri=6 c=1024 m=537 msg="Connection Closed" app=11 n=15348774 src=172.16.2.2:64159:X0 dst=1.128.3.4:443:X1 srcMac=00:53:a5:10:44:b8 dstMac=00:53:2a:7d:1d:35 proto=tcp/https sent=4941 rcvd=7294 spkt=16 rpkt=13 cdur=112650 +Apr 27 10:01:58 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:02:30" fw=172.16.0.2 pri=6 c=1024 m=97 app=9 n=558417 src=172.16.2.2:60102:X0 dst=89.160.20.156:80:X1 srcMac=00:53:a5:10:44:b8 dstMac=00:53:2a:7d:1d:35 proto=tcp/http op=1 sent=403 rcvd=719 dstname=www.sampledomain.es arg=/index.php?pingto=www.nessus.org%20|%20dir code=64 Category="Not Rated" +Apr 27 10:05:02 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:05:34" fw=172.16.0.2 pri=4 c=0 m=1220 msg="Invalid SNMP packet" n=109062 src=172.16.2.2:36322 dst=172.16.2.1:161 note="Invalid engineID: 0" +Apr 27 10:23:51 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:24:23" fw=172.16.0.2 pri=6 c=16 m=994 msg="Configuration mode administration session started" sess="Web" n=11 usr="admin" src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 proto=tcp/4444 note="admin at GUI from 172.16.2.2" +Apr 27 11:02:40 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 11:03:13" fw=172.16.0.2 pri=1 c=32 m=83 msg="Probable port scan detected" n=7652 src=89.160.20.156:443:X1 dst=172.16.0.2:45071:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/45071 note="TCP scanned port list, 20566, 41385, 14480, 57223, 53623, 36878, 10199, 31096, 4738, 45071" +Apr 27 10:41:01 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:41:33" fw=172.16.0.2 pri=1 c=32 m=82 msg="Possible port scan detected" n=15066 src=89.160.20.156:443:X1 dst=172.16.0.2:35878:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/35878 note="TCP scanned port list, 33159, 33981, 8161, 51557, 7847" +Apr 27 10:26:18 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:26:50" fw=172.16.1.1 pri=4 c=32 m=866 msg="Possible SYN Flood on IF X0 - src: 172.16.2.2:42668 dst: 67.43.156.12:10617 - rate: 465/sec continues" sess="Web" n=7342 usr="admin" src=172.16.2.2:42668:X0 dst=67.43.156.12:10617 srcMac=00:53:a5:10:44:b8 dstMac=00:53:c5:ca:be:00 proto=tcp/10617 +Apr 27 10:26:17 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:26:49" fw=172.16.1.1 pri=1 c=32 m=867 msg="Possible SYN Flood on IF X0 - from machine xx:xx:a5:10:44:b8 with SYN rate of 173/sec has ceased" sess="Web" n=2158 usr="admin" src=172.16.2.2:64983:X0 dst=81.2.69.144:80 srcMac=00:53:a5:10:44:b8 dstMac=00:53:c5:ca:be:00 proto=tcp/http +Apr 27 10:23:10 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:23:41" fw=172.16.0.2 pri=3 c=2 m=53 msg="The cache is full; %u open connections; some will be dropped32000 cacheCurrentInUse, 0 freed from pendingFreeList (Total 12)" n=4094019 src=172.16.2.2:58636:X0 dst=67.43.156.13:56432:X1 srcMac=00:53:a5:10:44:b8 dstMac=00:53:c5:ca:be:00 proto=tcp/56432 +Apr 27 10:21:42 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:22:14" fw=172.16.0.2 pri=1 c=32 m=860 msg="Possible SYN Flood on IF X0 - src: 172.16.2.2:60062 dst: 67.43.156.14:22402" n=2152 src=172.16.2.2:60062:X0 dst=67.43.156.14:22402 srcMac=00:53:a5:10:44:b8 dstMac=00:53:c5:ca:be:00 proto=tcp/22402 +Apr 27 21:37:24 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 21:37:57" fw=172.16.0.2 pri=5 c=128 m=1231 msg="Time update from NTP server was successful" n=458 src=172.16.0.2:123:X0 dst=67.43.156.15:123:X1 note="Received reply from NTP server 67.43.156.15. Update system time from 04/27/2022 21:37:56.416 to 04/27/2022 21:37:57.528" +Apr 27 23:03:37 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 23:04:10" fw=172.16.1.1 pri=1 c=2 m=326 msg="Probing failure on NAT Static IP" n=86 src=172.16.0.2::X1 dst=81.2.69.193:0:X1 +Apr 27 11:34:04 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 11:34:36" fw=172.16.0.2 pri=5 c=128 m=1232 msg="NTP Request sent" n=455 src=172.16.0.2:123:X0 dst=67.43.156.15:123:X1 note="Send request to NTP server 67.43.156.15" +Apr 27 10:24:05 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:24:35" fw=172.16.1.1 pri=1 c=2 m=586 msg="WLB Resource failed" n=40 src=172.16.0.2::X1 +Apr 27 10:24:05 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:24:35" fw=172.16.1.1 pri=4 c=2 m=307 msg="The network connection in use is NAT Static IP" n=79 src=172.16.1.1::X5 +Apr 27 10:24:05 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:24:35" fw=172.16.1.1 pri=1 c=2 m=584 msg="WLB Failover in progress" n=41 src=172.16.0.2::X1 dst=172.16.1.1::X5 +Apr 28 06:38:17 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-28 06:38:51" fw=172.16.0.2 pri=4 c=32 m=1371 msg="Possible TCP Flood on IF X1 - src: 82.98.136.100:80 dst: 172.16.0.2:15912 - rate: 1869/sec continues" n=151 +Apr 28 06:37:25 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-28 06:37:59" fw=172.16.0.2 pri=1 c=32 m=1370 msg="Possible TCP Flood on IF X1 - from machine xx:xx:2a:7d:1d:35 with TCP packet rate of 3/sec has ceased" n=60 src=81.2.69.145:443:X1 dst=172.16.0.2:37462:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/37462 +Apr 28 06:36:54 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-28 06:37:28" fw=172.16.0.2 pri=1 c=32 m=1369 msg="Possible TCP Flood on IF X1 - src: 81.2.69.145:443 dst: 172.16.0.2:12137" n=58 src=81.2.69.145:443:X1 dst=172.16.0.2:12137:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/12137 +Apr 28 06:36:28 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-28 06:37:02" fw=172.16.0.2 pri=1 c=32 m=177 msg="Probable TCP FIN scan detected" n=70 src=81.2.69.145:80:X1 dst=172.16.0.2:61017:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/61017 note="TCP scanned port list, 42998, 30957, 8099, 65027, 42142, 35538, 13062, 40855, 35544, 61017" +Apr 27 23:03:52 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 23:04:26" fw=172.16.0.2 pri=1 c=2 m=436 msg="Probing succeeded on NAT Static IP" n=47 src=172.16.0.2::X1 dst=89.160.20.112:0:X1 +Apr 27 23:03:52 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 23:04:26" fw=172.16.0.2 pri=1 c=2 m=585 msg="WLB Resource is now available" n=44 src=172.16.0.2::X1 +Apr 27 19:29:07 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 19:29:40" fw=172.16.0.2 pri=1 c=32 m=267 msg="TCP Xmas Tree dropped" n=56 src=175.16.199.1:16345:X1 dst=172.16.0.2:81 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/81 +Apr 27 10:32:18 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:32:51" fw=172.16.0.2 pri=6 c=16 m=998 msg="GUI administration session ended" sess="Web" dur=510 n=11 usr="admin" src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 proto=tcp/4444 note="admin" +Apr 27 10:32:18 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:32:51" fw=172.16.0.2 pri=6 c=16 m=995 msg="Configuration mode administration session ended" n=11 src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 proto=tcp/4444 note="admin at GUI from 172.16.2.2" +Apr 27 10:23:51 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:24:23" fw=172.16.0.2 pri=6 c=16 m=29 msg="Administrator login allowed" sess="Web" n=11 usr="admin" src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 proto=tcp/4444 +Apr 27 10:32:18 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 10:32:51" fw=172.16.0.2 pri=6 c=16 m=262 msg="Administrator logged out - inactivity timer expired" sess="Web" dur=510 n=11 usr="admin" src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 +Apr 27 23:03:52 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 23:04:26" fw=172.16.0.2 pri=1 c=2 m=435 msg="WLB Failback initiated by preemption due to a more preferred interface being operational" n=40 src=172.16.1.1::X5 dst=172.16.0.2::X1 +Apr 29 03:46:20 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-29 03:46:56" fw=172.16.0.2 pri=1 c=2 m=1107 msg="Response from NTP Server is either incomplete or invalid" n=8 +Apr 29 03:46:20 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-29 03:46:56" fw=172.16.0.2 pri=5 c=128 m=1230 msg="Failed on updating time from NTP server" n=8 src=172.16.0.2:123:X0 dst=67.43.156.15:123:X1 note="invalid NTP server 67.43.156.15" +Apr 27 09:42:51 172.16.2.1 id=firewall sn=0000A0AAAA00 time="2022-04-27 09:42:51" fw=172.16.0.2 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" sess="Web" n=1 usr="admin" src=172.16.2.2:17391:X0 dst=172.16.2.1:4444:X0 proto=tcp/4444 diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-drizzthacker.log-expected.json b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-drizzthacker.log-expected.json new file mode 100644 index 00000000000..b09322feecc --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-drizzthacker.log-expected.json @@ -0,0 +1,2102 @@ +{ + "expected": [ + { + "@timestamp": "2022-04-29T10:05:12.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Apr 29 10:04:36 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-29 10:05:12\" fw=172.16.0.2 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=15243934 src=172.16.2.2:4522:X0 dst=81.2.69.143:443:X1 proto=tcp/https sent=60", + "outcome": "success", + "sequence": "15243934", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 60, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "81.2.69.143", + "172.16.0.2" + ] + }, + "source": { + "bytes": 60, + "ip": "172.16.2.2", + "port": 4522 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-29T10:05:52.000+02:00", + "destination": { + "bytes": 7294, + "ip": "1.128.3.4", + "mac": "00-53-2A-7D-1D-35", + "packets": 13, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 112650000000, + "kind": "event", + "original": "Apr 29 10:05:16 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-29 10:05:52\" fw=172.16.0.2 pri=6 c=1024 m=537 msg=\"Connection Closed\" app=11 n=15348774 src=172.16.2.2:64159:X0 dst=1.128.3.4:443:X1 srcMac=00:53:a5:10:44:b8 dstMac=00:53:2a:7d:1d:35 proto=tcp/https sent=4941 rcvd=7294 spkt=16 rpkt=13 cdur=112650", + "outcome": "success", + "sequence": "15348774", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 12235, + "packets": 29, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "1.128.3.4", + "172.16.0.2" + ] + }, + "sonicwall": { + "firewall": { + "app": "11" + } + }, + "source": { + "bytes": 4941, + "ip": "172.16.2.2", + "mac": "00-53-A5-10-44-B8", + "packets": 16, + "port": 64159 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:02:30.000+02:00", + "destination": { + "bytes": 719, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00-53-2A-7D-1D-35", + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "97", + "original": "Apr 27 10:01:58 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:02:30\" fw=172.16.0.2 pri=6 c=1024 m=97 app=9 n=558417 src=172.16.2.2:60102:X0 dst=89.160.20.156:80:X1 srcMac=00:53:a5:10:44:b8 dstMac=00:53:2a:7d:1d:35 proto=tcp/http op=1 sent=403 rcvd=719 dstname=www.sampledomain.es arg=/index.php?pingto=www.nessus.org%20|%20dir code=64 Category=\"Not Rated\"", + "sequence": "558417", + "severity": "6", + "timezone": "+02:00" + }, + "http": { + "request": { + "method": "GET" + } + }, + "log": { + "level": "info" + }, + "network": { + "bytes": 1122, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "89.160.20.156", + "172.16.0.2" + ] + }, + "sonicwall": { + "firewall": { + "Category": "Not Rated", + "app": "9", + "code": "64" + } + }, + "source": { + "bytes": 403, + "ip": "172.16.2.2", + "mac": "00-53-A5-10-44-B8", + "port": 60102 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.sampledomain.es", + "full": "http://www.sampledomain.es/index.php?pingto=www.nessus.org%20|%20dir", + "path": "/index.php?pingto=www.nessus.org%20|%20dir", + "scheme": "http" + } + }, + { + "@timestamp": "2022-04-27T10:05:34.000+02:00", + "destination": { + "ip": "172.16.2.1", + "port": 161 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "1220", + "original": "Apr 27 10:05:02 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:05:34\" fw=172.16.0.2 pri=4 c=0 m=1220 msg=\"Invalid SNMP packet\" n=109062 src=172.16.2.2:36322 dst=172.16.2.1:161 note=\"Invalid engineID: 0\"", + "sequence": "109062", + "severity": "4", + "timezone": "+02:00" + }, + "log": { + "level": "warning" + }, + "message": "Invalid SNMP packet (Invalid engineID: 0)", + "observer": { + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "172.16.2.1", + "172.16.0.2" + ] + }, + "source": { + "ip": "172.16.2.2", + "port": 36322 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:24:23.000+02:00", + "destination": { + "ip": "172.16.2.1", + "port": 4444 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "session-start", + "category": [ + "session" + ], + "code": "994", + "kind": "event", + "original": "Apr 27 10:23:51 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:24:23\" fw=172.16.0.2 pri=6 c=16 m=994 msg=\"Configuration mode administration session started\" sess=\"Web\" n=11 usr=\"admin\" src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 proto=tcp/4444 note=\"admin at GUI from 172.16.2.2\"", + "outcome": "success", + "sequence": "11", + "severity": "6", + "timezone": "+02:00", + "type": [ + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Configuration mode administration session started (admin at GUI from 172.16.2.2)", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X0" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "172.16.2.1", + "172.16.0.2" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "sess": "Web" + } + }, + "source": { + "ip": "172.16.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-04-27T11:03:13.000+02:00", + "destination": { + "ip": "172.16.0.2", + "mac": "00-53-C5-CA-BE-01", + "port": 45071 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "attack-detected", + "category": [ + "intrusion_detection" + ], + "code": "83", + "kind": "alert", + "original": "Apr 27 11:02:40 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 11:03:13\" fw=172.16.0.2 pri=1 c=32 m=83 msg=\"Probable port scan detected\" n=7652 src=89.160.20.156:443:X1 dst=172.16.0.2:45071:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/45071 note=\"TCP scanned port list, 20566, 41385, 14480, 57223, 53623, 36878, 10199, 31096, 4738, 45071\"", + "outcome": "success", + "sequence": "7652", + "severity": "1", + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Probable port scan detected (TCP scanned port list, 20566, 41385, 14480, 57223, 53623, 36878, 10199, 31096, 4738, 45071)", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.156", + "172.16.0.2" + ] + }, + "source": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00-53-2A-7D-1D-35", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:41:33.000+02:00", + "destination": { + "ip": "172.16.0.2", + "mac": "00-53-C5-CA-BE-01", + "port": 35878 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "attack-detected", + "category": [ + "intrusion_detection" + ], + "code": "82", + "kind": "alert", + "original": "Apr 27 10:41:01 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:41:33\" fw=172.16.0.2 pri=1 c=32 m=82 msg=\"Possible port scan detected\" n=15066 src=89.160.20.156:443:X1 dst=172.16.0.2:35878:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/35878 note=\"TCP scanned port list, 33159, 33981, 8161, 51557, 7847\"", + "outcome": "success", + "sequence": "15066", + "severity": "1", + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Possible port scan detected (TCP scanned port list, 33159, 33981, 8161, 51557, 7847)", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.156", + "172.16.0.2" + ] + }, + "source": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00-53-2A-7D-1D-35", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:26:50.000+02:00", + "destination": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.12", + "mac": "00-53-C5-CA-BE-00", + "port": 10617 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "866", + "original": "Apr 27 10:26:18 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:26:50\" fw=172.16.1.1 pri=4 c=32 m=866 msg=\"Possible SYN Flood on IF X0 - src: 172.16.2.2:42668 dst: 67.43.156.12:10617 - rate: 465/sec continues\" sess=\"Web\" n=7342 usr=\"admin\" src=172.16.2.2:42668:X0 dst=67.43.156.12:10617 srcMac=00:53:a5:10:44:b8 dstMac=00:53:c5:ca:be:00 proto=tcp/10617", + "sequence": "7342", + "severity": "4", + "timezone": "+02:00" + }, + "log": { + "level": "warning" + }, + "message": "Possible SYN Flood on IF X0 - src: 172.16.2.2:42668 dst: 67.43.156.12:10617 - rate: 465/sec continues", + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.1.1", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "67.43.156.12", + "172.16.1.1" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "sess": "Web" + } + }, + "source": { + "ip": "172.16.2.2", + "mac": "00-53-A5-10-44-B8", + "port": 42668 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-04-27T10:26:49.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "mac": "00-53-C5-CA-BE-00", + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "867", + "original": "Apr 27 10:26:17 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:26:49\" fw=172.16.1.1 pri=1 c=32 m=867 msg=\"Possible SYN Flood on IF X0 - from machine xx:xx:a5:10:44:b8 with SYN rate of 173/sec has ceased\" sess=\"Web\" n=2158 usr=\"admin\" src=172.16.2.2:64983:X0 dst=81.2.69.144:80 srcMac=00:53:a5:10:44:b8 dstMac=00:53:c5:ca:be:00 proto=tcp/http", + "sequence": "2158", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "Possible SYN Flood on IF X0 - from machine xx:xx:a5:10:44:b8 with SYN rate of 173/sec has ceased", + "network": { + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.1.1", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "81.2.69.144", + "172.16.1.1" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "sess": "Web" + } + }, + "source": { + "ip": "172.16.2.2", + "mac": "00-53-A5-10-44-B8", + "port": 64983 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-04-27T10:23:41.000+02:00", + "destination": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "mac": "00-53-C5-CA-BE-00", + "port": 56432 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "internal-log-failure", + "category": [ + "host" + ], + "code": "53", + "kind": "event", + "original": "Apr 27 10:23:10 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:23:41\" fw=172.16.0.2 pri=3 c=2 m=53 msg=\"The cache is full; %u open connections; some will be dropped32000 cacheCurrentInUse, 0 freed from pendingFreeList (Total 12)\" n=4094019 src=172.16.2.2:58636:X0 dst=67.43.156.13:56432:X1 srcMac=00:53:a5:10:44:b8 dstMac=00:53:c5:ca:be:00 proto=tcp/56432", + "outcome": "failure", + "sequence": "4094019", + "severity": "3", + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "log": { + "level": "error" + }, + "message": "The cache is full; %u open connections; some will be dropped32000 cacheCurrentInUse, 0 freed from pendingFreeList (Total 12)", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "67.43.156.13", + "172.16.0.2" + ] + }, + "source": { + "ip": "172.16.2.2", + "mac": "00-53-A5-10-44-B8", + "port": 58636 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:22:14.000+02:00", + "destination": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "mac": "00-53-C5-CA-BE-00", + "port": 22402 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "attack-detected", + "category": [ + "intrusion_detection" + ], + "code": "860", + "kind": "alert", + "original": "Apr 27 10:21:42 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:22:14\" fw=172.16.0.2 pri=1 c=32 m=860 msg=\"Possible SYN Flood on IF X0 - src: 172.16.2.2:60062 dst: 67.43.156.14:22402\" n=2152 src=172.16.2.2:60062:X0 dst=67.43.156.14:22402 srcMac=00:53:a5:10:44:b8 dstMac=00:53:c5:ca:be:00 proto=tcp/22402", + "outcome": "success", + "sequence": "2152", + "severity": "1", + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Possible SYN Flood on IF X0 - src: 172.16.2.2:60062 dst: 67.43.156.14:22402", + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "67.43.156.14", + "172.16.0.2" + ] + }, + "source": { + "ip": "172.16.2.2", + "mac": "00-53-A5-10-44-B8", + "port": 60062 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T21:37:57.000+02:00", + "destination": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 123 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "1231", + "original": "Apr 27 21:37:24 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 21:37:57\" fw=172.16.0.2 pri=5 c=128 m=1231 msg=\"Time update from NTP server was successful\" n=458 src=172.16.0.2:123:X0 dst=67.43.156.15:123:X1 note=\"Received reply from NTP server 67.43.156.15. Update system time from 04/27/2022 21:37:56.416 to 04/27/2022 21:37:57.528\"", + "sequence": "458", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Time update from NTP server was successful (Received reply from NTP server 67.43.156.15. Update system time from 04/27/2022 21:37:56.416 to 04/27/2022 21:37:57.528)", + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2", + "67.43.156.15" + ] + }, + "source": { + "ip": "172.16.0.2", + "port": 123 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T23:04:10.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 0 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "326", + "original": "Apr 27 23:03:37 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 23:04:10\" fw=172.16.1.1 pri=1 c=2 m=326 msg=\"Probing failure on NAT Static IP\" n=86 src=172.16.0.2::X1 dst=81.2.69.193:0:X1", + "sequence": "86", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "Probing failure on NAT Static IP", + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.1.1", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2", + "81.2.69.193", + "172.16.1.1" + ] + }, + "source": { + "ip": "172.16.0.2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T11:34:36.000+02:00", + "destination": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 123 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "1232", + "original": "Apr 27 11:34:04 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 11:34:36\" fw=172.16.0.2 pri=5 c=128 m=1232 msg=\"NTP Request sent\" n=455 src=172.16.0.2:123:X0 dst=67.43.156.15:123:X1 note=\"Send request to NTP server 67.43.156.15\"", + "sequence": "455", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "NTP Request sent (Send request to NTP server 67.43.156.15)", + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2", + "67.43.156.15" + ] + }, + "source": { + "ip": "172.16.0.2", + "port": 123 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:24:35.000+02:00", + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "586", + "original": "Apr 27 10:24:05 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:24:35\" fw=172.16.1.1 pri=1 c=2 m=586 msg=\"WLB Resource failed\" n=40 src=172.16.0.2::X1", + "sequence": "40", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "WLB Resource failed", + "observer": { + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.1.1", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2", + "172.16.1.1" + ] + }, + "source": { + "ip": "172.16.0.2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:24:35.000+02:00", + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "307", + "original": "Apr 27 10:24:05 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:24:35\" fw=172.16.1.1 pri=4 c=2 m=307 msg=\"The network connection in use is NAT Static IP\" n=79 src=172.16.1.1::X5", + "sequence": "79", + "severity": "4", + "timezone": "+02:00" + }, + "log": { + "level": "warning" + }, + "message": "The network connection in use is NAT Static IP", + "observer": { + "ingress": { + "interface": { + "name": "X5" + } + }, + "ip": "172.16.1.1", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.1.1" + ] + }, + "source": { + "ip": "172.16.1.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:24:35.000+02:00", + "destination": { + "ip": "172.16.1.1" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "584", + "original": "Apr 27 10:24:05 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:24:35\" fw=172.16.1.1 pri=1 c=2 m=584 msg=\"WLB Failover in progress\" n=41 src=172.16.0.2::X1 dst=172.16.1.1::X5", + "sequence": "41", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "WLB Failover in progress", + "observer": { + "egress": { + "interface": { + "name": "X5" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.1.1", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2", + "172.16.1.1" + ] + }, + "source": { + "ip": "172.16.0.2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-28T06:38:51.000+02:00", + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "1371", + "original": "Apr 28 06:38:17 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-28 06:38:51\" fw=172.16.0.2 pri=4 c=32 m=1371 msg=\"Possible TCP Flood on IF X1 - src: 82.98.136.100:80 dst: 172.16.0.2:15912 - rate: 1869/sec continues\" n=151", + "sequence": "151", + "severity": "4", + "timezone": "+02:00" + }, + "log": { + "level": "warning" + }, + "message": "Possible TCP Flood on IF X1 - src: 82.98.136.100:80 dst: 172.16.0.2:15912 - rate: 1869/sec continues", + "observer": { + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-28T06:37:59.000+02:00", + "destination": { + "ip": "172.16.0.2", + "mac": "00-53-C5-CA-BE-01", + "port": 37462 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "1370", + "original": "Apr 28 06:37:25 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-28 06:37:59\" fw=172.16.0.2 pri=1 c=32 m=1370 msg=\"Possible TCP Flood on IF X1 - from machine xx:xx:2a:7d:1d:35 with TCP packet rate of 3/sec has ceased\" n=60 src=81.2.69.145:443:X1 dst=172.16.0.2:37462:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/37462", + "sequence": "60", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "Possible TCP Flood on IF X1 - from machine xx:xx:2a:7d:1d:35 with TCP packet rate of 3/sec has ceased", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "172.16.0.2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "mac": "00-53-2A-7D-1D-35", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-28T06:37:28.000+02:00", + "destination": { + "ip": "172.16.0.2", + "mac": "00-53-C5-CA-BE-01", + "port": 12137 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "attack-detected", + "category": [ + "intrusion_detection" + ], + "code": "1369", + "kind": "alert", + "original": "Apr 28 06:36:54 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-28 06:37:28\" fw=172.16.0.2 pri=1 c=32 m=1369 msg=\"Possible TCP Flood on IF X1 - src: 81.2.69.145:443 dst: 172.16.0.2:12137\" n=58 src=81.2.69.145:443:X1 dst=172.16.0.2:12137:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/12137", + "outcome": "success", + "sequence": "58", + "severity": "1", + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Possible TCP Flood on IF X1 - src: 81.2.69.145:443 dst: 172.16.0.2:12137", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "172.16.0.2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "mac": "00-53-2A-7D-1D-35", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-28T06:37:02.000+02:00", + "destination": { + "ip": "172.16.0.2", + "mac": "00-53-C5-CA-BE-01", + "port": 61017 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "attack-detected", + "category": [ + "intrusion_detection" + ], + "code": "177", + "kind": "alert", + "original": "Apr 28 06:36:28 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-28 06:37:02\" fw=172.16.0.2 pri=1 c=32 m=177 msg=\"Probable TCP FIN scan detected\" n=70 src=81.2.69.145:80:X1 dst=172.16.0.2:61017:X1 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/61017 note=\"TCP scanned port list, 42998, 30957, 8099, 65027, 42142, 35538, 13062, 40855, 35544, 61017\"", + "outcome": "success", + "sequence": "70", + "severity": "1", + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Probable TCP FIN scan detected (TCP scanned port list, 42998, 30957, 8099, 65027, 42142, 35538, 13062, 40855, 35544, 61017)", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "172.16.0.2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "mac": "00-53-2A-7D-1D-35", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T23:04:26.000+02:00", + "destination": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "port": 0 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "436", + "original": "Apr 27 23:03:52 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 23:04:26\" fw=172.16.0.2 pri=1 c=2 m=436 msg=\"Probing succeeded on NAT Static IP\" n=47 src=172.16.0.2::X1 dst=89.160.20.112:0:X1", + "sequence": "47", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "Probing succeeded on NAT Static IP", + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2", + "89.160.20.112" + ] + }, + "source": { + "ip": "172.16.0.2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T23:04:26.000+02:00", + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "585", + "original": "Apr 27 23:03:52 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 23:04:26\" fw=172.16.0.2 pri=1 c=2 m=585 msg=\"WLB Resource is now available\" n=44 src=172.16.0.2::X1", + "sequence": "44", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "WLB Resource is now available", + "observer": { + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2" + ] + }, + "source": { + "ip": "172.16.0.2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T19:29:40.000+02:00", + "destination": { + "ip": "172.16.0.2", + "mac": "00-53-C5-CA-BE-01", + "port": 81 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "attack-blocked", + "category": [ + "intrusion_detection" + ], + "code": "267", + "kind": "alert", + "original": "Apr 27 19:29:07 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 19:29:40\" fw=172.16.0.2 pri=1 c=32 m=267 msg=\"TCP Xmas Tree dropped\" n=56 src=175.16.199.1:16345:X1 dst=172.16.0.2:81 srcMac=00:53:2a:7d:1d:35 dstMac=00:53:c5:ca:be:01 proto=tcp/81", + "outcome": "success", + "sequence": "56", + "severity": "1", + "timezone": "+02:00", + "type": [ + "denied" + ] + }, + "log": { + "level": "alert" + }, + "message": "TCP Xmas Tree dropped", + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "175.16.199.1", + "172.16.0.2" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "mac": "00-53-2A-7D-1D-35", + "port": 16345 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:32:51.000+02:00", + "destination": { + "ip": "172.16.2.1", + "port": 4444 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "session-end", + "category": [ + "session" + ], + "code": "998", + "duration": 510000000000, + "kind": "event", + "original": "Apr 27 10:32:18 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:32:51\" fw=172.16.0.2 pri=6 c=16 m=998 msg=\"GUI administration session ended\" sess=\"Web\" dur=510 n=11 usr=\"admin\" src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 proto=tcp/4444 note=\"admin\"", + "outcome": "success", + "sequence": "11", + "severity": "6", + "timezone": "+02:00", + "type": [ + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "GUI administration session ended (admin)", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X0" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "172.16.2.1", + "172.16.0.2" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "sess": "Web" + } + }, + "source": { + "ip": "172.16.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-04-27T10:32:51.000+02:00", + "destination": { + "ip": "172.16.2.1", + "port": 4444 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "session-end", + "category": [ + "session" + ], + "code": "995", + "kind": "event", + "original": "Apr 27 10:32:18 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:32:51\" fw=172.16.0.2 pri=6 c=16 m=995 msg=\"Configuration mode administration session ended\" n=11 src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 proto=tcp/4444 note=\"admin at GUI from 172.16.2.2\"", + "outcome": "success", + "sequence": "11", + "severity": "6", + "timezone": "+02:00", + "type": [ + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Configuration mode administration session ended (admin at GUI from 172.16.2.2)", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X0" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "172.16.2.1", + "172.16.0.2" + ] + }, + "source": { + "ip": "172.16.2.2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T10:24:23.000+02:00", + "destination": { + "ip": "172.16.2.1", + "port": 4444 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "login-success", + "category": [ + "authentication" + ], + "code": "29", + "kind": "event", + "original": "Apr 27 10:23:51 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:24:23\" fw=172.16.0.2 pri=6 c=16 m=29 msg=\"Administrator login allowed\" sess=\"Web\" n=11 usr=\"admin\" src=172.16.2.2::X0 dst=172.16.2.1:4444:X0 proto=tcp/4444", + "outcome": "success", + "sequence": "11", + "severity": "6", + "timezone": "+02:00", + "type": [ + "start", + "info" + ] + }, + "log": { + "level": "info" + }, + "message": "Administrator login allowed", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X0" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "172.16.2.1", + "172.16.0.2" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "sess": "Web" + } + }, + "source": { + "ip": "172.16.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-04-27T10:32:51.000+02:00", + "destination": { + "ip": "172.16.2.1", + "port": 4444 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "logout", + "category": [ + "authentication" + ], + "code": "262", + "duration": 510000000000, + "kind": "event", + "original": "Apr 27 10:32:18 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 10:32:51\" fw=172.16.0.2 pri=6 c=16 m=262 msg=\"Administrator logged out - inactivity timer expired\" sess=\"Web\" dur=510 n=11 usr=\"admin\" src=172.16.2.2::X0 dst=172.16.2.1:4444:X0", + "outcome": "success", + "sequence": "11", + "severity": "6", + "timezone": "+02:00", + "type": [ + "end", + "info" + ] + }, + "log": { + "level": "info" + }, + "message": "Administrator logged out - inactivity timer expired", + "observer": { + "egress": { + "interface": { + "name": "X0" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "172.16.2.1", + "172.16.0.2" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "sess": "Web" + } + }, + "source": { + "ip": "172.16.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-04-27T23:04:26.000+02:00", + "destination": { + "ip": "172.16.0.2" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "435", + "original": "Apr 27 23:03:52 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 23:04:26\" fw=172.16.0.2 pri=1 c=2 m=435 msg=\"WLB Failback initiated by preemption due to a more preferred interface being operational\" n=40 src=172.16.1.1::X5 dst=172.16.0.2::X1", + "sequence": "40", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "WLB Failback initiated by preemption due to a more preferred interface being operational", + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X5" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.1.1", + "172.16.0.2" + ] + }, + "source": { + "ip": "172.16.1.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-29T03:46:56.000+02:00", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "internal-log-failure", + "category": [ + "host" + ], + "code": "1107", + "kind": "event", + "original": "Apr 29 03:46:20 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-29 03:46:56\" fw=172.16.0.2 pri=1 c=2 m=1107 msg=\"Response from NTP Server is either incomplete or invalid\" n=8", + "outcome": "failure", + "sequence": "8", + "severity": "1", + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Response from NTP Server is either incomplete or invalid", + "observer": { + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-29T03:46:56.000+02:00", + "destination": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 123 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "1230", + "original": "Apr 29 03:46:20 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-29 03:46:56\" fw=172.16.0.2 pri=5 c=128 m=1230 msg=\"Failed on updating time from NTP server\" n=8 src=172.16.0.2:123:X0 dst=67.43.156.15:123:X1 note=\"invalid NTP server 67.43.156.15\"", + "sequence": "8", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Failed on updating time from NTP server (invalid NTP server 67.43.156.15)", + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.0.2", + "67.43.156.15" + ] + }, + "source": { + "ip": "172.16.0.2", + "port": 123 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T09:42:51.000+02:00", + "destination": { + "ip": "172.16.2.1", + "port": 4444 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "login-failure", + "category": [ + "authentication" + ], + "code": "30", + "kind": "event", + "original": "Apr 27 09:42:51 172.16.2.1 id=firewall sn=0000A0AAAA00 time=\"2022-04-27 09:42:51\" fw=172.16.0.2 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" sess=\"Web\" n=1 usr=\"admin\" src=172.16.2.2:17391:X0 dst=172.16.2.1:4444:X0 proto=tcp/4444", + "outcome": "failure", + "sequence": "1", + "severity": "1", + "timezone": "+02:00", + "type": [ + "start", + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Administrator login denied due to bad credentials", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X0" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "172.16.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0000A0AAAA00", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "172.16.2.2", + "172.16.2.1", + "172.16.0.2" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "sess": "Web" + } + }, + "source": { + "ip": "172.16.2.2", + "port": 17391 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + } + ] +} \ No newline at end of file diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-general.log b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-general.log new file mode 100644 index 00000000000..13655b8a8f3 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-general.log @@ -0,0 +1,38 @@ +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=216.160.83.57:36701:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=216.160.83.57:36701:WAN dst=1.128.3.4:50000:WAN +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=216.160.83.57:36702:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=1.128.3.4:500:WAN dst=216.160.83.57:500:WAN proto=udp/500 sent=344 rcvd=152 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=216.160.83.57:36703:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=216.160.83.57:36703:WAN dst=1.128.3.4:50000:WAN +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=216.160.83.57:36704:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.128.3.4 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=89.160.20.112:1026:WAN dst=1.128.3.4:6822:WAN type=3 code=3 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=89.160.20.112:1026:WAN dst=1.128.3.4:0:WAN proto=udp/0 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=216.160.83.57:500 dst=1.128.3.4:500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=1.128.3.4:500:WAN dst=216.160.83.57:500:WAN proto=udp/500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=216.160.83.57:500 dst=1.128.3.4:500 +Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445 +Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=216.160.83.57:36699:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 sent=1557 rcvd=957 +Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 rpkt=3 spkt=2 vpnpolicy="name" +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503 dst=192.168.5.10 proto=tcp/dns +Jan 3 13:45:51 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:22" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=:28503:WAN:SOURCEHOST srcV6=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dst=::LAN:DSTHOST proto=tcp/dns dstV6=::1 +id=firewall sn=XXXXXXX time="2015-11-21 14:30:38" fw=10.0.0.1 pri=5 msg="Unhandled link-local or multicast IPv6 packet dropped" srcV6=fe80::d4db:99b9:6f20:f6bd dstV6=ff02::c srcMac=00:53:ff:ff:55:55 dstMac=00:53:00:00:00:0c proto=udp/65535 +id=YYYYYY sn=XXXX time="2019-03-14 16:37:19 UTC" fw=172.29.1.2 pri=1 c=32 m=1388 msg="IPSec VPN Decryption Failed" n=1064050271 src=67.43.156.15 dst=81.2.69.193 note="Replay check failure." +id=YYYYYY sn=XXXX time="2019-02-27 12:55:40 UTC" fw=10.1.1.1 pri=5 c=0 m=1197 msg="NAT Mapping" n=4748427 src=10.12.14.9::X500 dst=81.2.69.144::X3 proto=icmp note="Source: 2.228.169.242, 63130, Destination: 217.56.236.4, 8, Protocol: 1" rule="17 (LAN->WAN)" +id=YYYYYY sn=XXXX time="2019-03-19 06:44:01 UTC" fw=10.1.1.1 pri=3 c=4 m=14 msg="Web site access denied" app=49177 appName="General HTTPS" n=856789 src=192.168.0.46:59668:X0:nb020.example.com dst=175.16.199.1:443:X1:example.com srcMac=00:53:ff:ff:99:c5 dstMac=00:53:66:66:99:99 proto=tcp/https dstname=example.com arg=/ code=49 Category="Freeware/Software Downloads" +10.0.0.1 id=firewall sn=123456789 time="2022-02-22 18:24:30 UTC" fw=10.0.0.2 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=10.0.0.3:52379:X0 natSrc=10.0.0.2:48245 dst=216.160.83.61:443:X1 natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=52 app=49177 appName='General HTTPS' n=123456789 fw_action="NA" dpi=0 +10.0.0.1 id=firewall sn=123456789 time="2022-02-22 18:29:37 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:64828:X0 srcZone=Trusted natSrc=10.0.0.2:47621 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=3523 rcvd=14226 app=7927 dstname=chat-pa.clients6.google.com arg=/ code=29 Category="Search Engines and Portals" note="Policy: cfsZonePolicy0, Info: 6148 " n=123456789 fw_action="NA" dpi=1 +10.0.0.1 id=firewall sn=12345678 time="2022-02-22 18:34:21 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:49217:X0 srcZone=Trusted natSrc=10.0.0.2:53466 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=2079 rcvd=6642 app=7927 dstname=seg.ad.gt arg=/ code=15 Category="Business and Economy" note="Policy: cfsZonePolicy0, Info: 6148 " n=123456789 fw_action="NA" dpi=1 op=3 +10.0.0.1 id=firewall sn=12345678 time="2022-03-09 14:58:44 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:56242:X0 srcZone=Trusted natSrc=10.0.0.2:18447 dstMac=ab:09:87:65:43:21 dst=67.43.156.13:443:X1 dstZone=Untrusted natDst=67.43.156.13:443 usr="Unknown (SSO failed)" proto=tcp/https sent=1749 rcvd=968 app=7927 dstname=rcs-us-east-1.neoservice-aws.com arg=/ code=27 Category="Information Technology/Computers" note="Policy: cfsZonePolicy0, Info: 6148 " n=368203630 fw_action="NA" dpi=1 op="testing bad value" +10.0.0.1 id=firewall sn=12345678 time="2022-03-09 05:29:32 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:56502:X0 srcZone=Trusted natSrc=10.0.0.2:15926 dstMac=ab:09:87:65:43:21 dst=67.43.156.14:80:X1 dstZone=Untrusted natDst=67.43.156.14:80 usr="Unknown (SSO failed)" proto=tcp/http sent=510 rcvd=955 app=5147 op=1 dstname=ocsp.digicert.com arg=/abcd code=27 Category="Information Technology/Computers" note="Policy: cfsZonePolicy0, Info: 6147 " n=367895985 fw_action="NA" dpi=1 +10.0.0.1 id=firewall sn=12345678 time="2022-03-09 18:44:05 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=10.0.0.4:37153:X0 natSrc=10.0.0.2:12325 dst=89.160.20.112:8800:X1 natDst=89.160.20.112:8800 proto=udp/8800 sent=284 spkt=1 app=49202 appName='General UDP' n=1846613339 fw_action="NA" dpi=0 +10.0.0.1 id=firewall sn=12345678 time="2022-03-09 18:57:05 UTC" fw=10.0.0.2 pri=1 c=32 gcat=3 m=608 src=67.43.156.15:8:X1 dst=10.0.0.3:1850:X0 msg="IPS Detection Alert: ICMP Echo Reply, SID: 316, Priority: Low" msg="IPS Detection Alert: ICMP Echo Reply" sid=316 ipscat="ICMP Echo Reply" ipspri=3 n=174072 fw_action="NA" +10.0.0.1 id=firewall sn=12345678 time="2022-03-11 14:17:52 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 srcMac=12:34:56:78:90:ab src=10.0.0.4:41856:X0 srcZone=Trusted natSrc=10.0.0.2:8689 dstMac=ab:09:87:65:43:21 dst=89.160.20.112:443:X1 dstZone=Untrusted natDst=89.160.20.112:443 usr="Unknown (SSO failed)" proto=tcp/https sent=104 rcvd=230 rule="15 (LAN->WAN)" app=5 af_polid=4 ipscat=N/A appcat="PROXY-ACCESS" appid=2900 dstname=89.160.20.112 arg=/ code=64 Category="Not Rated" note="Policy: cfsZonePolicy0, Info: 6148 " n=2520325 fw_action="NA" dpi=1 op=0 +<129> id=firewall sn=ZZZZZZZZZ time="2022-02-24 03:29:07" fw=192.168.33.1 pri=1 c=32 m=609 msg="IPS Prevention Alert: WEB-ATTACKS Apache Log4j2 JNDI Log Messages Remote Code Execution" sid=2307 ipscat="WEB-ATTACKS Apache Log4j2 JNDI Log Messages Remote Code Execution" ipspri=2 n=8158 src=216.160.83.61:54192:X20-V60 dst=:8080:X20-V68 dstV6=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 fw_action="drop" +<134> id=firewall sn=xxxxxxxxxxxxxxx time="2022-05-06 16:10:06" fw=192.168.255.6 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=89.160.20.112:42082:X4-V1032 dst=67.43.156.12:4433:X4-V1032 proto=tcp/4433 sent=52 app=49330 appName='Service iMesh' n=3591578 fw_action="NA" dpi=0 +<134> id=firewall sn=xxxxxxxxxxxxxxx time="2022-05-06 16:10:06" fw=192.168.255.6 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=1.128.3.4:26391:X4-V1032 dst=67.43.156.12:4433:X4-V1032 proto=tcp/4433 sent=52 app=49330 appName='Service iMesh' n=3591579 fw_action="NA" dpi=0 +<134> id=firewall sn=xxxxxxxxxxxxxxx time="2022-05-06 16:10:06" fw=192.168.255.6 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=192.168.24.228:56783:X4-V1032 srcZone=TEST dstMac=00:53:12:34:56:78 dst=67.43.156.12:53:X6 dstZone=Trusted usr="TheUser" proto=udp/dns sent=63 rcvd=115 spkt=1 rpkt=1 cdur=30016 sess="sslvpnc" rule="157 (SSLVPN->SERVER)" app=49169 appName='General DNS' n=54094499 fw_action="NA" dpi=0 diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-general.log-expected.json b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-general.log-expected.json new file mode 100644 index 00000000000..f2867174c22 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-general.log-expected.json @@ -0,0 +1,3074 @@ +{ + "expected": [ + { + "@timestamp": "2007-01-03T14:48:06.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=216.160.83.57:36701:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "outcome": "success", + "sequence": "23419", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 36701 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:07.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "login-failure", + "category": [ + "authentication" + ], + "code": "30", + "kind": "event", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=216.160.83.57:36701:WAN dst=1.128.3.4:50000:WAN", + "outcome": "failure", + "sequence": "7", + "severity": "1", + "timezone": "+02:00", + "type": [ + "start", + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Administrator login denied due to bad credentials", + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 36701 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:07.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=216.160.83.57:36702:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "outcome": "success", + "sequence": "23420", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 36702 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:07.000+02:00", + "destination": { + "bytes": 242, + "ip": "192.168.5.10", + "port": 53 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "kind": "event", + "original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", + "outcome": "success", + "sequence": "567996", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 499, + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.4.10", + "192.168.5.10", + "1.128.3.4" + ] + }, + "source": { + "bytes": 257, + "ip": "192.168.4.10", + "port": 27577 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:08.000+02:00", + "destination": { + "bytes": 13042, + "ip": "192.168.1.100", + "port": 1026 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "kind": "event", + "original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", + "outcome": "success", + "sequence": "567997", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 16632, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.5.56", + "192.168.1.100", + "1.128.3.4" + ] + }, + "sonicwall": { + "firewall": { + "vpnpolicy": "name" + } + }, + "source": { + "bytes": 3590, + "ip": "192.168.5.56", + "port": 4277 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:10.000+02:00", + "destination": { + "bytes": 454118, + "ip": "192.168.2.81", + "port": 41850 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "kind": "event", + "original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", + "outcome": "success", + "sequence": "567999", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 840144, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.5.56", + "192.168.2.81", + "1.128.3.4" + ] + }, + "sonicwall": { + "firewall": { + "vpnpolicy": "name" + } + }, + "source": { + "bytes": 386026, + "ip": "192.168.5.56", + "port": 4280 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:10.000+02:00", + "destination": { + "bytes": 152, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 500 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "kind": "event", + "original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.128.3.4:500:WAN dst=216.160.83.57:500:WAN proto=udp/500 sent=344 rcvd=152", + "outcome": "success", + "sequence": "567999", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 496, + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "1.128.3.4", + "216.160.83.57" + ] + }, + "source": { + "bytes": 344, + "ip": "1.128.3.4", + "port": 500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:10.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=216.160.83.57:36703:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "outcome": "success", + "sequence": "23421", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 36703 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:10.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "login-failure", + "category": [ + "authentication" + ], + "code": "30", + "kind": "event", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=216.160.83.57:36703:WAN dst=1.128.3.4:50000:WAN", + "outcome": "failure", + "sequence": "8", + "severity": "1", + "timezone": "+02:00", + "type": [ + "start", + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "Administrator login denied due to bad credentials", + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 36703 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:11.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=216.160.83.57:36704:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "outcome": "success", + "sequence": "23422", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 36704 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:14.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 6822 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-dropped", + "category": [ + "network" + ], + "code": "38", + "kind": "event", + "original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.128.3.4 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=89.160.20.112:1026:WAN dst=1.128.3.4:6822:WAN type=3 code=3", + "outcome": "success", + "sequence": "22070", + "severity": "5", + "timezone": "+02:00", + "type": [ + "denied" + ] + }, + "log": { + "level": "notice" + }, + "message": "ICMP packet dropped", + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.112", + "1.128.3.4" + ] + }, + "sonicwall": { + "firewall": { + "code": "3", + "type": "3" + } + }, + "source": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "port": 1026 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:14.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 0 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "kind": "event", + "original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=89.160.20.112:1026:WAN dst=1.128.3.4:0:WAN proto=udp/0", + "outcome": "success", + "sequence": "568000", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.112", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "port": 1026 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:15.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 500 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "346", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=216.160.83.57:500 dst=1.128.3.4:500", + "sequence": "171872", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": "IKE Initiator: Start Quick Mode (Phase 2).", + "observer": { + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:15.000+02:00", + "destination": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 500 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.128.3.4:500:WAN dst=216.160.83.57:500:WAN proto=udp/500", + "outcome": "success", + "sequence": "23423", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "1.128.3.4", + "216.160.83.57" + ] + }, + "source": { + "ip": "1.128.3.4", + "port": 500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:15.000+02:00", + "destination": { + "ip": "1.128.3.4", + "port": 500 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "483", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=216.160.83.57:500 dst=1.128.3.4:500", + "sequence": "171625", + "severity": "4", + "timezone": "+02:00" + }, + "log": { + "level": "warning" + }, + "message": "Received notify: INVALID_ID_INFO", + "observer": { + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:15.000+02:00", + "destination": { + "ip": "192.168.5.10", + "port": 53 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "outcome": "success", + "sequence": "23424", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.115.10", + "192.168.5.10", + "1.128.3.4" + ] + }, + "source": { + "ip": "192.168.115.10", + "port": 11549 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:17.000+02:00", + "destination": { + "ip": "192.168.1.100", + "port": 445 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", + "outcome": "success", + "sequence": "23425", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.5.64", + "192.168.1.100", + "1.128.3.4" + ] + }, + "source": { + "ip": "192.168.5.64", + "port": 3182 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:18.000+02:00", + "destination": { + "bytes": 957, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "kind": "event", + "original": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=216.160.83.57:36699:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", + "outcome": "success", + "sequence": "568001", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 2514, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.57", + "1.128.3.4" + ] + }, + "source": { + "bytes": 1557, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 36699 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:20.000+02:00", + "destination": { + "bytes": 254, + "ip": "192.168.1.100", + "packets": 3, + "port": 53 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "kind": "event", + "original": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 rpkt=3 spkt=2 vpnpolicy=\"name\"", + "outcome": "success", + "sequence": "568002", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 655, + "packets": 5, + "protocol": "dns", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + } + }, + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.5.10", + "192.168.1.100", + "1.128.3.4" + ] + }, + "sonicwall": { + "firewall": { + "vpnpolicy": "name" + } + }, + "source": { + "bytes": 401, + "ip": "192.168.5.10", + "packets": 2, + "port": 3417 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:20.000+02:00", + "destination": { + "ip": "192.168.5.10", + "port": 3582 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", + "outcome": "success", + "sequence": "23426", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.125.75", + "192.168.5.10", + "1.128.3.4" + ] + }, + "source": { + "ip": "192.168.125.75", + "port": 524 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:21.000+02:00", + "destination": { + "ip": "192.168.5.10" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503 dst=192.168.5.10 proto=tcp/dns", + "outcome": "success", + "sequence": "23427", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.6.10", + "192.168.5.10", + "1.128.3.4" + ] + }, + "source": { + "ip": "192.168.6.10", + "port": 28503 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:22.000+02:00", + "destination": { + "domain": "DSTHOST", + "ip": "::1" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "Jan 3 13:45:51 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:22\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=:28503:WAN:SOURCEHOST srcV6=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dst=::LAN:DSTHOST proto=tcp/dns dstV6=::1", + "outcome": "success", + "sequence": "23427", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + } + }, + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "1.128.3.4", + "name": "firewall", + "product": "SonicOS", + "serial_number": "000SERIAL", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "::1", + "1.128.3.4" + ] + }, + "source": { + "domain": "SOURCEHOST", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 28503 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-11-21T14:30:38.000+02:00", + "destination": { + "ip": "ff02::c", + "mac": "00-53-00-00-00-0C" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "original": "id=firewall sn=XXXXXXX time=\"2015-11-21 14:30:38\" fw=10.0.0.1 pri=5 msg=\"Unhandled link-local or multicast IPv6 packet dropped\" srcV6=fe80::d4db:99b9:6f20:f6bd dstV6=ff02::c srcMac=00:53:ff:ff:55:55 dstMac=00:53:00:00:00:0c proto=udp/65535", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Unhandled link-local or multicast IPv6 packet dropped", + "network": { + "transport": "udp" + }, + "observer": { + "ip": "10.0.0.1", + "name": "firewall", + "product": "SonicOS", + "serial_number": "XXXXXXX", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "fe80::d4db:99b9:6f20:f6bd", + "ff02::c", + "10.0.0.1" + ] + }, + "source": { + "ip": "fe80::d4db:99b9:6f20:f6bd", + "mac": "00-53-FF-FF-55-55" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2019-03-14T18:37:19.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "1388", + "original": "id=YYYYYY sn=XXXX time=\"2019-03-14 16:37:19 UTC\" fw=172.29.1.2 pri=1 c=32 m=1388 msg=\"IPSec VPN Decryption Failed\" n=1064050271 src=67.43.156.15 dst=81.2.69.193 note=\"Replay check failure.\"", + "sequence": "1064050271", + "severity": "1", + "timezone": "+02:00" + }, + "log": { + "level": "alert" + }, + "message": "IPSec VPN Decryption Failed (Replay check failure.)", + "observer": { + "ip": "172.29.1.2", + "name": "YYYYYY", + "product": "SonicOS", + "serial_number": "XXXX", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "67.43.156.15", + "81.2.69.193", + "172.29.1.2" + ] + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2019-02-27T14:55:40.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-info", + "category": [ + "network" + ], + "code": "1197", + "kind": "event", + "original": "id=YYYYYY sn=XXXX time=\"2019-02-27 12:55:40 UTC\" fw=10.1.1.1 pri=5 c=0 m=1197 msg=\"NAT Mapping\" n=4748427 src=10.12.14.9::X500 dst=81.2.69.144::X3 proto=icmp note=\"Source: 2.228.169.242, 63130, Destination: 217.56.236.4, 8, Protocol: 1\" rule=\"17 (LAN-\u003eWAN)\"", + "outcome": "success", + "sequence": "4748427", + "severity": "5", + "timezone": "+02:00", + "type": [ + "connection", + "info" + ] + }, + "log": { + "level": "notice" + }, + "message": "NAT Mapping (Source: 2.228.169.242, 63130, Destination: 217.56.236.4, 8, Protocol: 1)", + "network": { + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "X3" + } + }, + "ingress": { + "interface": { + "name": "X500" + } + }, + "ip": "10.1.1.1", + "name": "YYYYYY", + "product": "SonicOS", + "serial_number": "XXXX", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.12.14.9", + "81.2.69.144", + "10.1.1.1" + ] + }, + "rule": { + "id": "17 (LAN-\u003eWAN)" + }, + "source": { + "ip": "10.12.14.9" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2019-03-19T08:44:01.000+02:00", + "destination": { + "domain": "example.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "mac": "00-53-66-66-99-99", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "14", + "kind": "event", + "original": "id=YYYYYY sn=XXXX time=\"2019-03-19 06:44:01 UTC\" fw=10.1.1.1 pri=3 c=4 m=14 msg=\"Web site access denied\" app=49177 appName=\"General HTTPS\" n=856789 src=192.168.0.46:59668:X0:nb020.example.com dst=175.16.199.1:443:X1:example.com srcMac=00:53:ff:ff:99:c5 dstMac=00:53:66:66:99:99 proto=tcp/https dstname=example.com arg=/ code=49 Category=\"Freeware/Software Downloads\"", + "outcome": "success", + "sequence": "856789", + "severity": "3", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "error" + }, + "message": "Web site access denied", + "network": { + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "10.1.1.1", + "name": "YYYYYY", + "product": "SonicOS", + "serial_number": "XXXX", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.0.46", + "175.16.199.1", + "10.1.1.1" + ] + }, + "sonicwall": { + "firewall": { + "Category": "Freeware/Software Downloads", + "app": "49177", + "appName": "General HTTPS", + "code": "49" + } + }, + "source": { + "domain": "nb020.example.com", + "ip": "192.168.0.46", + "mac": "00-53-FF-FF-99-C5", + "port": 59668 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "example.com", + "full": "https://example.com/", + "path": "/", + "scheme": "https" + } + }, + { + "@timestamp": "2022-02-22T20:24:30.000+02:00", + "destination": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "10.0.0.1 id=firewall sn=123456789 time=\"2022-02-22 18:24:30 UTC\" fw=10.0.0.2 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=10.0.0.3:52379:X0 natSrc=10.0.0.2:48245 dst=216.160.83.61:443:X1 natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=52 app=49177 appName='General HTTPS' n=123456789 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "123456789", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 52, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "10.0.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "123456789", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.3", + "10.0.0.2", + "216.160.83.61" + ], + "user": [ + "Unknown (SSO failed)" + ] + }, + "sonicwall": { + "firewall": { + "app": "49177", + "appName": "General HTTPS", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.3", + "nat": { + "ip": "10.0.0.2", + "port": 48245 + }, + "port": 52379 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-02-22T20:29:37.000+02:00", + "destination": { + "bytes": 14226, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "mac": "AB-09-87-65-43-21", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "97", + "original": "10.0.0.1 id=firewall sn=123456789 time=\"2022-02-22 18:29:37 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:64828:X0 srcZone=Trusted natSrc=10.0.0.2:47621 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=3523 rcvd=14226 app=7927 dstname=chat-pa.clients6.google.com arg=/ code=29 Category=\"Search Engines and Portals\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=123456789 fw_action=\"NA\" dpi=1", + "sequence": "123456789", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": "Web site hit (Policy: cfsZonePolicy0, Info: 6148 )", + "network": { + "bytes": 17749, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "123456789", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.3", + "10.0.0.2", + "216.160.83.61" + ], + "user": [ + "Unknown (SSO failed)" + ] + }, + "sonicwall": { + "firewall": { + "Category": "Search Engines and Portals", + "app": "7927", + "code": "29", + "dpi": "true", + "event_group_category": "System", + "gcat": "2" + } + }, + "source": { + "bytes": 3523, + "ip": "10.0.0.3", + "mac": "12-34-56-78-90-AB", + "nat": { + "ip": "10.0.0.2", + "port": 47621 + }, + "port": 64828 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "chat-pa.clients6.google.com", + "full": "https://chat-pa.clients6.google.com/", + "path": "/", + "scheme": "https" + }, + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-02-22T20:34:21.000+02:00", + "destination": { + "bytes": 6642, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "mac": "AB-09-87-65-43-21", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "97", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-02-22 18:34:21 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:49217:X0 srcZone=Trusted natSrc=10.0.0.2:53466 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=2079 rcvd=6642 app=7927 dstname=seg.ad.gt arg=/ code=15 Category=\"Business and Economy\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=123456789 fw_action=\"NA\" dpi=1 op=3", + "sequence": "123456789", + "severity": "6", + "timezone": "+02:00" + }, + "http": { + "request": { + "method": "HEAD" + } + }, + "log": { + "level": "info" + }, + "message": "Web site hit (Policy: cfsZonePolicy0, Info: 6148 )", + "network": { + "bytes": 8721, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "12345678", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.3", + "10.0.0.2", + "216.160.83.61" + ], + "user": [ + "Unknown (SSO failed)" + ] + }, + "sonicwall": { + "firewall": { + "Category": "Business and Economy", + "app": "7927", + "code": "15", + "dpi": "true", + "event_group_category": "System", + "gcat": "2" + } + }, + "source": { + "bytes": 2079, + "ip": "10.0.0.3", + "mac": "12-34-56-78-90-AB", + "nat": { + "ip": "10.0.0.2", + "port": 53466 + }, + "port": 49217 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "seg.ad.gt", + "full": "https://seg.ad.gt/", + "path": "/", + "scheme": "https" + }, + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-03-09T16:58:44.000+02:00", + "destination": { + "bytes": 968, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "mac": "AB-09-87-65-43-21", + "nat": { + "ip": "67.43.156.13", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "97", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-09 14:58:44 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:56242:X0 srcZone=Trusted natSrc=10.0.0.2:18447 dstMac=ab:09:87:65:43:21 dst=67.43.156.13:443:X1 dstZone=Untrusted natDst=67.43.156.13:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=1749 rcvd=968 app=7927 dstname=rcs-us-east-1.neoservice-aws.com arg=/ code=27 Category=\"Information Technology/Computers\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=368203630 fw_action=\"NA\" dpi=1 op=\"testing bad value\"", + "sequence": "368203630", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": "Web site hit (Policy: cfsZonePolicy0, Info: 6148 )", + "network": { + "bytes": 2717, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "12345678", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.3", + "10.0.0.2", + "67.43.156.13" + ], + "user": [ + "Unknown (SSO failed)" + ] + }, + "sonicwall": { + "firewall": { + "Category": "Information Technology/Computers", + "app": "7927", + "code": "27", + "dpi": "true", + "event_group_category": "System", + "gcat": "2" + } + }, + "source": { + "bytes": 1749, + "ip": "10.0.0.3", + "mac": "12-34-56-78-90-AB", + "nat": { + "ip": "10.0.0.2", + "port": 18447 + }, + "port": 56242 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "rcs-us-east-1.neoservice-aws.com", + "full": "https://rcs-us-east-1.neoservice-aws.com/", + "path": "/", + "scheme": "https" + }, + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-03-09T07:29:32.000+02:00", + "destination": { + "bytes": 955, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "mac": "AB-09-87-65-43-21", + "nat": { + "ip": "67.43.156.14", + "port": 80 + }, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "97", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-09 05:29:32 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:56502:X0 srcZone=Trusted natSrc=10.0.0.2:15926 dstMac=ab:09:87:65:43:21 dst=67.43.156.14:80:X1 dstZone=Untrusted natDst=67.43.156.14:80 usr=\"Unknown (SSO failed)\" proto=tcp/http sent=510 rcvd=955 app=5147 op=1 dstname=ocsp.digicert.com arg=/abcd code=27 Category=\"Information Technology/Computers\" note=\"Policy: cfsZonePolicy0, Info: 6147 \" n=367895985 fw_action=\"NA\" dpi=1", + "sequence": "367895985", + "severity": "6", + "timezone": "+02:00" + }, + "http": { + "request": { + "method": "GET" + } + }, + "log": { + "level": "info" + }, + "message": "Web site hit (Policy: cfsZonePolicy0, Info: 6147 )", + "network": { + "bytes": 1465, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "12345678", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.3", + "10.0.0.2", + "67.43.156.14" + ], + "user": [ + "Unknown (SSO failed)" + ] + }, + "sonicwall": { + "firewall": { + "Category": "Information Technology/Computers", + "app": "5147", + "code": "27", + "dpi": "true", + "event_group_category": "System", + "gcat": "2" + } + }, + "source": { + "bytes": 510, + "ip": "10.0.0.3", + "mac": "12-34-56-78-90-AB", + "nat": { + "ip": "10.0.0.2", + "port": 15926 + }, + "port": 56502 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "ocsp.digicert.com", + "full": "http://ocsp.digicert.com/abcd", + "path": "/abcd", + "scheme": "http" + }, + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-03-09T20:44:05.000+02:00", + "destination": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "nat": { + "ip": "89.160.20.112", + "port": 8800 + }, + "port": 8800 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "kind": "event", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-09 18:44:05 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=10.0.0.4:37153:X0 natSrc=10.0.0.2:12325 dst=89.160.20.112:8800:X1 natDst=89.160.20.112:8800 proto=udp/8800 sent=284 spkt=1 app=49202 appName='General UDP' n=1846613339 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "1846613339", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 284, + "packets": 1, + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "10.0.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "12345678", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.4", + "10.0.0.2", + "89.160.20.112" + ] + }, + "sonicwall": { + "firewall": { + "app": "49202", + "appName": "General UDP", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 284, + "ip": "10.0.0.4", + "nat": { + "ip": "10.0.0.2", + "port": 12325 + }, + "packets": 1, + "port": 37153 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-09T20:57:05.000+02:00", + "destination": { + "ip": "10.0.0.3", + "port": 1850 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "attack-detected", + "category": [ + "intrusion_detection" + ], + "code": "608", + "kind": "alert", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-09 18:57:05 UTC\" fw=10.0.0.2 pri=1 c=32 gcat=3 m=608 src=67.43.156.15:8:X1 dst=10.0.0.3:1850:X0 msg=\"IPS Detection Alert: ICMP Echo Reply, SID: 316, Priority: Low\" msg=\"IPS Detection Alert: ICMP Echo Reply\" sid=316 ipscat=\"ICMP Echo Reply\" ipspri=3 n=174072 fw_action=\"NA\"", + "outcome": "success", + "sequence": "174072", + "severity": "1", + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "log": { + "level": "alert" + }, + "message": "{0=IPS Detection Alert: ICMP Echo Reply, SID: 316, Priority: Low, 1=IPS Detection Alert: ICMP Echo Reply}", + "observer": { + "egress": { + "interface": { + "name": "X0" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "12345678", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "67.43.156.15", + "10.0.0.3", + "10.0.0.2" + ] + }, + "sonicwall": { + "firewall": { + "event_group_category": "Log", + "gcat": "3", + "ipscat": "ICMP Echo Reply", + "ipspri": "3", + "sid": "316" + } + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 8 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-11T16:17:52.000+02:00", + "destination": { + "bytes": 230, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "mac": "AB-09-87-65-43-21", + "nat": { + "ip": "89.160.20.112", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "code": "97", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-11 14:17:52 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 srcMac=12:34:56:78:90:ab src=10.0.0.4:41856:X0 srcZone=Trusted natSrc=10.0.0.2:8689 dstMac=ab:09:87:65:43:21 dst=89.160.20.112:443:X1 dstZone=Untrusted natDst=89.160.20.112:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=104 rcvd=230 rule=\"15 (LAN-\u003eWAN)\" app=5 af_polid=4 ipscat=N/A appcat=\"PROXY-ACCESS\" appid=2900 dstname=89.160.20.112 arg=/ code=64 Category=\"Not Rated\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=2520325 fw_action=\"NA\" dpi=1 op=0", + "sequence": "2520325", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": "Policy: cfsZonePolicy0, Info: 6148 ", + "network": { + "bytes": 334, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.2", + "name": "firewall", + "product": "SonicOS", + "serial_number": "12345678", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.4", + "10.0.0.2", + "89.160.20.112" + ], + "user": [ + "Unknown (SSO failed)" + ] + }, + "rule": { + "id": "15 (LAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "Category": "Not Rated", + "af_polid": "4", + "app": "5", + "appcat": "PROXY-ACCESS", + "appid": "2900", + "code": "64", + "dpi": "true", + "event_group_category": "System", + "gcat": "2", + "ipscat": "N/A" + } + }, + "source": { + "bytes": 104, + "ip": "10.0.0.4", + "mac": "12-34-56-78-90-AB", + "nat": { + "ip": "10.0.0.2", + "port": 8689 + }, + "port": 41856 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.112", + "full": "https://89.160.20.112/", + "path": "/", + "scheme": "https" + }, + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-02-24T03:29:07.000+02:00", + "destination": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 8080 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "attack-blocked", + "category": [ + "intrusion_detection" + ], + "code": "609", + "kind": "alert", + "original": "\u003c129\u003e id=firewall sn=ZZZZZZZZZ time=\"2022-02-24 03:29:07\" fw=192.168.33.1 pri=1 c=32 m=609 msg=\"IPS Prevention Alert: WEB-ATTACKS Apache Log4j2 JNDI Log Messages Remote Code Execution\" sid=2307 ipscat=\"WEB-ATTACKS Apache Log4j2 JNDI Log Messages Remote Code Execution\" ipspri=2 n=8158 src=216.160.83.61:54192:X20-V60 dst=:8080:X20-V68 dstV6=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 fw_action=\"drop\"", + "outcome": "success", + "sequence": "8158", + "severity": "1", + "timezone": "+02:00", + "type": [ + "denied" + ] + }, + "log": { + "level": "alert" + }, + "message": "IPS Prevention Alert: WEB-ATTACKS Apache Log4j2 JNDI Log Messages Remote Code Execution", + "observer": { + "egress": { + "interface": { + "name": "X20-V68" + } + }, + "ingress": { + "interface": { + "name": "X20-V60" + } + }, + "ip": "192.168.33.1", + "name": "firewall", + "product": "SonicOS", + "serial_number": "ZZZZZZZZZ", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "216.160.83.61", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "192.168.33.1" + ] + }, + "sonicwall": { + "firewall": { + "ipscat": "WEB-ATTACKS Apache Log4j2 JNDI Log Messages Remote Code Execution", + "ipspri": "2", + "sid": "2307" + } + }, + "source": { + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "port": 54192 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-06T16:10:06.000+02:00", + "destination": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.12", + "port": 4433 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=xxxxxxxxxxxxxxx time=\"2022-05-06 16:10:06\" fw=192.168.255.6 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=89.160.20.112:42082:X4-V1032 dst=67.43.156.12:4433:X4-V1032 proto=tcp/4433 sent=52 app=49330 appName='Service iMesh' n=3591578 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "3591578", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 52, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X4-V1032" + } + }, + "ingress": { + "interface": { + "name": "X4-V1032" + } + }, + "ip": "192.168.255.6", + "name": "firewall", + "product": "SonicOS", + "serial_number": "xxxxxxxxxxxxxxx", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.112", + "67.43.156.12", + "192.168.255.6" + ] + }, + "sonicwall": { + "firewall": { + "app": "49330", + "appName": "Service iMesh", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "port": 42082 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-06T16:10:06.000+02:00", + "destination": { + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.12", + "port": 4433 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=xxxxxxxxxxxxxxx time=\"2022-05-06 16:10:06\" fw=192.168.255.6 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=1.128.3.4:26391:X4-V1032 dst=67.43.156.12:4433:X4-V1032 proto=tcp/4433 sent=52 app=49330 appName='Service iMesh' n=3591579 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "3591579", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 52, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X4-V1032" + } + }, + "ingress": { + "interface": { + "name": "X4-V1032" + } + }, + "ip": "192.168.255.6", + "name": "firewall", + "product": "SonicOS", + "serial_number": "xxxxxxxxxxxxxxx", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "1.128.3.4", + "67.43.156.12", + "192.168.255.6" + ] + }, + "sonicwall": { + "firewall": { + "app": "49330", + "appName": "Service iMesh", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "1.128.3.4", + "port": 26391 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-06T16:10:06.000+02:00", + "destination": { + "bytes": 115, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.12", + "mac": "00-53-12-34-56-78", + "packets": 1, + "port": 53 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 30016000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=xxxxxxxxxxxxxxx time=\"2022-05-06 16:10:06\" fw=192.168.255.6 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=192.168.24.228:56783:X4-V1032 srcZone=TEST dstMac=00:53:12:34:56:78 dst=67.43.156.12:53:X6 dstZone=Trusted usr=\"TheUser\" proto=udp/dns sent=63 rcvd=115 spkt=1 rpkt=1 cdur=30016 sess=\"sslvpnc\" rule=\"157 (SSLVPN-\u003eSERVER)\" app=49169 appName='General DNS' n=54094499 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "54094499", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 178, + "packets": 2, + "protocol": "dns", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "X6" + }, + "zone": "Trusted" + }, + "ingress": { + "interface": { + "name": "X4-V1032" + }, + "zone": "TEST" + }, + "ip": "192.168.255.6", + "name": "firewall", + "product": "SonicOS", + "serial_number": "xxxxxxxxxxxxxxx", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "192.168.24.228", + "67.43.156.12", + "192.168.255.6" + ], + "user": [ + "TheUser" + ] + }, + "rule": { + "id": "157 (SSLVPN-\u003eSERVER)" + }, + "sonicwall": { + "firewall": { + "app": "49169", + "appName": "General DNS", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "sslvpnc" + } + }, + "source": { + "bytes": 63, + "ip": "192.168.24.228", + "packets": 1, + "port": 56783 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "TheUser" + } + } + ] +} \ No newline at end of file diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-sonicos70-aws.log b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-sonicos70-aws.log new file mode 100644 index 00000000000..8769bd9c918 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-sonicos70-aws.log @@ -0,0 +1,146 @@ +<134> id=firewall sn=0040103CE114 time="2022-05-16 15:22:26 UTC" fw=10.0.0.96 pri=6 c=1024 m=537 msg="Connection Closed" app=12 sess="Web" n=795 usr="admin" src=81.2.69.193:65055:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=1930 rcvd=1545 spkt=11 rpkt=7 dpi=0 cdur=2133 rule="Default Access Rule" fw_action="NA" +<134> id=firewall sn=0040103CE114 time="2022-05-16 15:22:26 UTC" fw=10.0.0.96 pri=6 c=1024 m=537 msg="Connection Closed" app=12 sess="Web" n=797 usr="admin" src=81.2.69.193:65056:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=2146 rcvd=1611 spkt=11 rpkt=9 dpi=0 cdur=2483 rule="Default Access Rule" fw_action="NA" +<134> id=firewall sn=0040103CE114 time="2022-05-16 15:22:27 UTC" fw=10.0.0.96 pri=6 c=1024 m=537 msg="Connection Closed" app=12 sess="Web" n=799 usr="admin" src=81.2.69.193:65057:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=1919 rcvd=1547 spkt=10 rpkt=7 dpi=0 cdur=2183 rule="Default Access Rule" fw_action="NA" +<134> id=firewall sn=0040103CE114 time="2022-05-16 15:22:28 UTC" fw=10.0.0.96 pri=6 c=262144 m=98 msg="Connection Opened" app=12 sess="Web" n=780 usr="admin" src=81.2.69.193:65058:X1 dst=10.0.0.96:443:X1 proto=tcp/https sent=64 dpi=0 fw_action="NA" +<133> id=firewall sn=0040103CE114 time="2022-05-16 15:22:28 UTC" fw=10.0.0.96 pri=5 c=16 m=526 msg="Web management request allowed" app=12 sess="Web" n=927 usr="admin" src=81.2.69.193:65058:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 dstMac=06:6e:64:57:48:02 proto=tcp/https uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" rule="15 (WAN->WAN)" fw_action="mgmt" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:39" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64889:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=692 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:39" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64889:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=694 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:39" fw=10.0.0.96 pri=6 c=16 gcat=2 m=1382 src=81.2.69.193:64889 dst=10.0.0.96:443:X1 usr="admin" sess="API" msg="Configuration succeeded: 'Logging Level' , changed from [WARNING], changed to [DEBUG]" n=35 fw_action="NA" auditId=34 tranxId=26 userMode="Full" oldValue="WARNING" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:39" fw=10.0.0.96 pri=6 c=16 gcat=2 m=1382 src=81.2.69.193:64889 dst=10.0.0.96:443:X1 usr="admin" sess="API" msg="Configuration succeeded: 'Alert Level' , changed from [ALERT], changed to [WARNING]" n=37 fw_action="NA" auditId=35 tranxId=27 userMode="Full" oldValue="ALERT" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:41" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64888:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=2463 rcvd=1691 spkt=12 rpkt=10 cdur=2566 sess="Web" rule="Default Access Rule" app=12 n=449 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:41" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64889:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1935 rcvd=1577 spkt=10 rpkt=8 cdur=2183 sess="Web" rule="Default Access Rule" app=12 n=451 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:41" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=89.160.20.156:29675:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334100 rule="Default Access Rule" app=42 n=453 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64890:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=460 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64890:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=639 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64891:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=462 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64891:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=641 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64892:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=464 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64892:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=643 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64891:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=696 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64891:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=698 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64890:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=700 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:42" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64890:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=702 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:43" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64892:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=704 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:43" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64892:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=706 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:44" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64893:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=466 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:44" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64893:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=645 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:44" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64891:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1871 rcvd=1378 spkt=10 rpkt=7 cdur=2366 sess="Web" rule="Default Access Rule" app=12 n=455 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:44" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64890:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1915 rcvd=3526 spkt=11 rpkt=8 cdur=2366 sess="Web" rule="Default Access Rule" app=12 n=457 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:45" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64893:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=708 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:45" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64893:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=710 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:45" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64892:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1896 rcvd=1279 spkt=11 rpkt=8 cdur=3450 sess="Web" rule="Default Access Rule" app=12 n=459 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64893:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=8740 rcvd=256305 spkt=159 rpkt=181 cdur=2766 sess="Web" rule="Default Access Rule" app=12 n=461 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64894:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=468 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64894:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=647 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64894:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=712 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64894:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=714 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64895:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=470 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64895:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=649 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64895:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=716 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:47" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64895:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=718 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:49" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64894:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=3259 rcvd=16551 spkt=18 rpkt=18 cdur=2183 sess="Web" rule="Default Access Rule" app=12 n=463 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:49" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64895:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1868 rcvd=1545 spkt=10 rpkt=7 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=465 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:51" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=89.160.20.156:53022:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334050 rule="Default Access Rule" app=42 n=467 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64896:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=472 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64896:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=651 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64897:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=474 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64897:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=653 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64896:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=720 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64896:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=722 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64897:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=724 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:52" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64897:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=726 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:53" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64898:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=476 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:53" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64898:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=655 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64898:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=728 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64898:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=730 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64899:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=478 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64899:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=657 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64896:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1931 rcvd=3588 spkt=11 rpkt=9 cdur=2133 sess="Web" rule="Default Access Rule" app=12 n=469 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:54" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64897:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1887 rcvd=1394 spkt=10 rpkt=7 cdur=2133 sess="Web" rule="Default Access Rule" app=12 n=471 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:55" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64899:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=732 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:18:55" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64899:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=734 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:56" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64898:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1866 rcvd=1301 spkt=10 rpkt=8 cdur=2116 sess="Web" rule="Default Access Rule" app=12 n=473 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:18:57" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64899:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=8392 rcvd=253313 spkt=152 rpkt=179 cdur=2916 sess="Web" rule="Default Access Rule" app=12 n=475 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64901:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=480 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64901:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=659 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64901:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=736 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64901:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=738 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64902:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=482 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64902:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=661 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64903:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=484 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64903:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=663 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64903:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=740 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64903:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=742 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64902:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=744 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:02" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64902:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=746 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64904:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=486 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64904:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=665 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64904:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=748 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64904:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=750 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64905:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=488 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64905:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=667 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64901:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=3243 rcvd=16551 spkt=18 rpkt=18 cdur=2216 sess="Web" rule="Default Access Rule" app=12 n=477 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64903:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1871 rcvd=1394 spkt=10 rpkt=7 cdur=2133 sess="Web" rule="Default Access Rule" app=12 n=479 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:04" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64902:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1915 rcvd=3526 spkt=11 rpkt=8 cdur=2133 sess="Web" rule="Default Access Rule" app=12 n=481 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:05" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64905:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=752 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:05" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64905:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=754 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:06" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64904:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1866 rcvd=1255 spkt=10 rpkt=7 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=483 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:07" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.145:43466:X1 dst=10.0.0.96:443:X1 proto=tcp/https sent=60 app=12 n=490 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:07" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=60 rule="15 (WAN->WAN)" app=12 note="policyCheck" n=669 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:07" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64905:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=8438 rcvd=253369 spkt=153 rpkt=180 cdur=3283 sess="Web" rule="Default Access Rule" app=12 n=485 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:08" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=756 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:08" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=758 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:08" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=760 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:10" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https sent=1172 rcvd=2121 spkt=11 rpkt=8 cdur=3050 rule="Default Access Rule" app=12 n=487 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:12" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64906:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=492 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:12" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64906:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=671 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:12" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64907:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=494 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:12" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64907:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=673 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:13" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64906:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=762 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:13" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64906:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=764 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:13" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64907:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=766 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:13" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64907:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=768 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64908:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=496 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64908:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=675 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64908:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=770 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64908:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=772 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64909:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=498 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:14" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64909:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=677 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:15" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64906:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1885 rcvd=3542 spkt=10 rpkt=8 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=489 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:15" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64907:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1887 rcvd=1378 spkt=10 rpkt=7 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=491 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:15" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64909:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=774 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:15" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64909:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=776 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:16" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64908:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1850 rcvd=1301 spkt=10 rpkt=8 cdur=2166 sess="Web" rule="Default Access Rule" app=12 n=493 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:16" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=89.160.20.156:43808:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334116 rule="Default Access Rule" app=42 n=495 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64909:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=8438 rcvd=253354 spkt=153 rpkt=180 cdur=3266 sess="Web" rule="Default Access Rule" app=12 n=497 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64910:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=500 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64910:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=679 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64910:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=778 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:17" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64910:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=780 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:19" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64910:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=3243 rcvd=16567 spkt=18 rpkt=18 cdur=2183 sess="Web" rule="Default Access Rule" app=12 n=499 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=10.0.0.96:54604:X1 natSrc=10.0.0.96:41479 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 n=502 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54604:X1 srcZone=Untrusted natSrc=10.0.0.96:41479 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=151 fw_action="forward" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=10.0.0.96:54606:X1 natSrc=10.0.0.96:58515 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 n=504 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrc=10.0.0.96:58515 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=89.160.20.156:27465:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334083 rule="Default Access Rule" app=42 n=501 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64912:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=506 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64912:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=681 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64913:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=508 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64913:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=683 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64913:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=782 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64913:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=784 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64912:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=786 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64912:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=788 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=10.0.0.96:54604:X1 natSrc=10.0.0.96:41479 dstMac=06:08:25:81:11:30 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=350 rcvd=916 spkt=5 rpkt=5 cdur=2050 app=9 n=503 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:23" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=10.0.0.96:54606:X1 natSrc=10.0.0.96:58515 dstMac=06:08:25:81:11:30 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=334 rcvd=694 spkt=5 rpkt=5 cdur=2033 app=9 n=505 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64914:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=510 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64914:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=685 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=81.2.69.193:64915:X1 dst=10.0.0.96:443:X1 usr="admin" proto=tcp/https sent=64 sess="Web" app=12 n=512 fw_action="NA" dpi=0 +<133> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg="Web management request allowed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64915:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https rcvd=64 sess="Web" rule="15 (WAN->WAN)" app=12 note="policyCheck" n=687 fw_action="mgmt" uuid="18d4ad2b-4fa2-a827-0700-0040103ce114" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64914:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=790 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:24" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64914:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=792 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:25" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64913:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1887 rcvd=1378 spkt=10 rpkt=7 cdur=2150 sess="Web" rule="Default Access Rule" app=12 n=507 fw_action="NA" dpi=0 +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:25" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64912:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1931 rcvd=3526 spkt=11 rpkt=8 cdur=2150 sess="Web" rule="Default Access Rule" app=12 n=509 fw_action="NA" dpi=0 +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:25" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64915:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=794 fw_action="drop" +<135> id=firewall sn=0040103CE114 time="2022-05-16 08:19:25" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64915:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=46 sess="Web" rule="15 (WAN->WAN)" app=12 msg="�" note="TCP Flag(s): RST" n=796 fw_action="drop" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:26" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=06:08:25:81:11:30 src=81.2.69.193:64914:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr="admin" proto=tcp/https sent=1850 rcvd=1239 spkt=10 rpkt=7 cdur=2116 sess="Web" rule="Default Access Rule" app=12 n=511 fw_action="NA" dpi=0 \ No newline at end of file diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-sonicos70-aws.log-expected.json b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-sonicos70-aws.log-expected.json new file mode 100644 index 00000000000..4b506d140f8 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-sonicos70-aws.log-expected.json @@ -0,0 +1,14323 @@ +{ + "expected": [ + { + "@timestamp": "2022-05-16T17:22:26.000+02:00", + "destination": { + "bytes": 1545, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2133000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 15:22:26 UTC\" fw=10.0.0.96 pri=6 c=1024 m=537 msg=\"Connection Closed\" app=12 sess=\"Web\" n=795 usr=\"admin\" src=81.2.69.193:65055:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=1930 rcvd=1545 spkt=11 rpkt=7 dpi=0 cdur=2133 rule=\"Default Access Rule\" fw_action=\"NA\"", + "outcome": "success", + "sequence": "795", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3475, + "packets": 18, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "sess": "Web" + } + }, + "source": { + "bytes": 1930, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 11, + "port": 65055 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T17:22:26.000+02:00", + "destination": { + "bytes": 1611, + "ip": "10.0.0.96", + "packets": 9, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2483000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 15:22:26 UTC\" fw=10.0.0.96 pri=6 c=1024 m=537 msg=\"Connection Closed\" app=12 sess=\"Web\" n=797 usr=\"admin\" src=81.2.69.193:65056:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=2146 rcvd=1611 spkt=11 rpkt=9 dpi=0 cdur=2483 rule=\"Default Access Rule\" fw_action=\"NA\"", + "outcome": "success", + "sequence": "797", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3757, + "packets": 20, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "sess": "Web" + } + }, + "source": { + "bytes": 2146, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 11, + "port": 65056 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T17:22:27.000+02:00", + "destination": { + "bytes": 1547, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2183000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 15:22:27 UTC\" fw=10.0.0.96 pri=6 c=1024 m=537 msg=\"Connection Closed\" app=12 sess=\"Web\" n=799 usr=\"admin\" src=81.2.69.193:65057:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 proto=tcp/https sent=1919 rcvd=1547 spkt=10 rpkt=7 dpi=0 cdur=2183 rule=\"Default Access Rule\" fw_action=\"NA\"", + "outcome": "success", + "sequence": "799", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3466, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "sess": "Web" + } + }, + "source": { + "bytes": 1919, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 65057 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T17:22:28.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 15:22:28 UTC\" fw=10.0.0.96 pri=6 c=262144 m=98 msg=\"Connection Opened\" app=12 sess=\"Web\" n=780 usr=\"admin\" src=81.2.69.193:65058:X1 dst=10.0.0.96:443:X1 proto=tcp/https sent=64 dpi=0 fw_action=\"NA\"", + "outcome": "success", + "sequence": "780", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 65058 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T17:22:28.000+02:00", + "destination": { + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 15:22:28 UTC\" fw=10.0.0.96 pri=5 c=16 m=526 msg=\"Web management request allowed\" app=12 sess=\"Web\" n=927 usr=\"admin\" src=81.2.69.193:65058:X1 dst=10.0.0.96:443:X1 srcMac=06:08:25:81:11:30 dstMac=06:6e:64:57:48:02 proto=tcp/https uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\" rule=\"15 (WAN-\u003eWAN)\" fw_action=\"mgmt\"", + "sequence": "927", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed", + "network": { + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 65058 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:39.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64889 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:39\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64889:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=692 fw_action=\"drop\"", + "outcome": "success", + "sequence": "692", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:39.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64889 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:39\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64889:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=694 fw_action=\"drop\"", + "outcome": "success", + "sequence": "694", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:39.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "config-change", + "category": [ + "configuration" + ], + "code": "1382", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:39\" fw=10.0.0.96 pri=6 c=16 gcat=2 m=1382 src=81.2.69.193:64889 dst=10.0.0.96:443:X1 usr=\"admin\" sess=\"API\" msg=\"Configuration succeeded: 'Logging Level' , changed from [WARNING], changed to [DEBUG]\" n=35 fw_action=\"NA\" auditId=34 tranxId=26 userMode=\"Full\" oldValue=\"WARNING\"", + "outcome": "success", + "sequence": "35", + "severity": "6", + "timezone": "+02:00", + "type": [ + "change" + ] + }, + "log": { + "level": "info" + }, + "message": "Configuration succeeded: 'Logging Level' , changed from [WARNING], changed to [DEBUG]", + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "auditId": "34", + "event_group_category": "System", + "gcat": "2", + "oldValue": "WARNING", + "sess": "API", + "tranxId": "26", + "userMode": "Full" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64889 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:39.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "config-change", + "category": [ + "configuration" + ], + "code": "1382", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:39\" fw=10.0.0.96 pri=6 c=16 gcat=2 m=1382 src=81.2.69.193:64889 dst=10.0.0.96:443:X1 usr=\"admin\" sess=\"API\" msg=\"Configuration succeeded: 'Alert Level' , changed from [ALERT], changed to [WARNING]\" n=37 fw_action=\"NA\" auditId=35 tranxId=27 userMode=\"Full\" oldValue=\"ALERT\"", + "outcome": "success", + "sequence": "37", + "severity": "6", + "timezone": "+02:00", + "type": [ + "change" + ] + }, + "log": { + "level": "info" + }, + "message": "Configuration succeeded: 'Alert Level' , changed from [ALERT], changed to [WARNING]", + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "auditId": "35", + "event_group_category": "System", + "gcat": "2", + "oldValue": "ALERT", + "sess": "API", + "tranxId": "27", + "userMode": "Full" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64889 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:41.000+02:00", + "destination": { + "bytes": 1691, + "ip": "10.0.0.96", + "packets": 10, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2566000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:41\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64888:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=2463 rcvd=1691 spkt=12 rpkt=10 cdur=2566 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=449 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "449", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 4154, + "packets": 22, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 2463, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 12, + "port": 64888 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:41.000+02:00", + "destination": { + "bytes": 1577, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2183000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:41\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64889:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1935 rcvd=1577 spkt=10 rpkt=8 cdur=2183 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=451 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "451", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3512, + "packets": 18, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1935, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64889 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:41.000+02:00", + "destination": { + "bytes": 416, + "ip": "10.0.0.96", + "packets": 8, + "port": 22 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 334100000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:41\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=89.160.20.156:29675:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334100 rule=\"Default Access Rule\" app=42 n=453 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "453", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 596, + "packets": 11, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.156", + "10.0.0.96" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "42", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 180, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "06-08-25-81-11-30", + "packets": 3, + "port": 29675 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64890:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=460 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "460", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64890 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64890:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=639 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "639", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64890 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64891:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=462 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "462", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64891 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64891:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=641 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "641", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64891 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64892:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=464 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "464", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64892 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64892:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=643 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "643", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64892 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64891 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64891:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=696 fw_action=\"drop\"", + "outcome": "success", + "sequence": "696", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64891 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64891:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=698 fw_action=\"drop\"", + "outcome": "success", + "sequence": "698", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64890 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64890:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=700 fw_action=\"drop\"", + "outcome": "success", + "sequence": "700", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:42.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64890 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:42\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64890:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=702 fw_action=\"drop\"", + "outcome": "success", + "sequence": "702", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:43.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64892 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:43\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64892:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=704 fw_action=\"drop\"", + "outcome": "success", + "sequence": "704", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:43.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64892 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:43\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64892:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=706 fw_action=\"drop\"", + "outcome": "success", + "sequence": "706", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:44.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:44\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64893:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=466 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "466", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64893 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:44.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:44\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64893:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=645 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "645", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64893 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:44.000+02:00", + "destination": { + "bytes": 1378, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2366000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:44\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64891:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1871 rcvd=1378 spkt=10 rpkt=7 cdur=2366 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=455 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "455", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3249, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1871, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64891 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:44.000+02:00", + "destination": { + "bytes": 3526, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2366000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:44\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64890:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1915 rcvd=3526 spkt=11 rpkt=8 cdur=2366 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=457 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "457", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 5441, + "packets": 19, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1915, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 11, + "port": 64890 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:45.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64893 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:45\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64893:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=708 fw_action=\"drop\"", + "outcome": "success", + "sequence": "708", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:45.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64893 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:45\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64893:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=710 fw_action=\"drop\"", + "outcome": "success", + "sequence": "710", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:45.000+02:00", + "destination": { + "bytes": 1279, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 3450000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:45\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64892:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1896 rcvd=1279 spkt=11 rpkt=8 cdur=3450 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=459 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "459", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3175, + "packets": 19, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1896, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 11, + "port": 64892 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "bytes": 256305, + "ip": "10.0.0.96", + "packets": 181, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2766000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64893:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=8740 rcvd=256305 spkt=159 rpkt=181 cdur=2766 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=461 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "461", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 265045, + "packets": 340, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 8740, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 159, + "port": 64893 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64894:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=468 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "468", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64894 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64894:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=647 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "647", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64894 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64894 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64894:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=712 fw_action=\"drop\"", + "outcome": "success", + "sequence": "712", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64894 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64894:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=714 fw_action=\"drop\"", + "outcome": "success", + "sequence": "714", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64895:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=470 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "470", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64895 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64895:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=649 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "649", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64895 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64895 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64895:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=716 fw_action=\"drop\"", + "outcome": "success", + "sequence": "716", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:47.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64895 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:47\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64895:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=718 fw_action=\"drop\"", + "outcome": "success", + "sequence": "718", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:49.000+02:00", + "destination": { + "bytes": 16551, + "ip": "10.0.0.96", + "packets": 18, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2183000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:49\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64894:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=3259 rcvd=16551 spkt=18 rpkt=18 cdur=2183 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=463 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "463", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 19810, + "packets": 36, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 3259, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 18, + "port": 64894 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:49.000+02:00", + "destination": { + "bytes": 1545, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2166000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:49\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64895:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1868 rcvd=1545 spkt=10 rpkt=7 cdur=2166 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=465 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "465", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3413, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1868, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64895 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:51.000+02:00", + "destination": { + "bytes": 416, + "ip": "10.0.0.96", + "packets": 8, + "port": 22 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 334050000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:51\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=89.160.20.156:53022:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334050 rule=\"Default Access Rule\" app=42 n=467 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "467", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 596, + "packets": 11, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.156", + "10.0.0.96" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "42", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 180, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "06-08-25-81-11-30", + "packets": 3, + "port": 53022 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:18:52.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:52\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64896:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=472 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "472", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64896 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:52.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:52\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64896:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=651 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "651", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64896 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:52.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:52\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64897:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=474 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "474", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64897 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:52.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:52\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64897:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=653 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "653", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64897 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:52.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64896 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:52\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64896:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=720 fw_action=\"drop\"", + "outcome": "success", + "sequence": "720", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:52.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64896 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:52\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64896:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=722 fw_action=\"drop\"", + "outcome": "success", + "sequence": "722", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:52.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64897 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:52\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64897:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=724 fw_action=\"drop\"", + "outcome": "success", + "sequence": "724", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:52.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64897 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:52\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64897:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=726 fw_action=\"drop\"", + "outcome": "success", + "sequence": "726", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:53.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:53\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64898:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=476 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "476", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64898 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:53.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:53\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64898:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=655 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "655", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64898 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:54.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64898 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:54\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64898:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=728 fw_action=\"drop\"", + "outcome": "success", + "sequence": "728", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:54.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64898 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:54\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64898:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=730 fw_action=\"drop\"", + "outcome": "success", + "sequence": "730", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:54.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:54\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64899:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=478 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "478", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64899 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:54.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:54\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64899:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=657 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "657", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64899 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:54.000+02:00", + "destination": { + "bytes": 3588, + "ip": "10.0.0.96", + "packets": 9, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2133000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:54\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64896:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1931 rcvd=3588 spkt=11 rpkt=9 cdur=2133 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=469 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "469", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 5519, + "packets": 20, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1931, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 11, + "port": 64896 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:54.000+02:00", + "destination": { + "bytes": 1394, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2133000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:54\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64897:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1887 rcvd=1394 spkt=10 rpkt=7 cdur=2133 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=471 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "471", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3281, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1887, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64897 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:55.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64899 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:55\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64899:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=732 fw_action=\"drop\"", + "outcome": "success", + "sequence": "732", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:55.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64899 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:55\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64899:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=734 fw_action=\"drop\"", + "outcome": "success", + "sequence": "734", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:56.000+02:00", + "destination": { + "bytes": 1301, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2116000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:56\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64898:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1866 rcvd=1301 spkt=10 rpkt=8 cdur=2116 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=473 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "473", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3167, + "packets": 18, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1866, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64898 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:18:57.000+02:00", + "destination": { + "bytes": 253313, + "ip": "10.0.0.96", + "packets": 179, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2916000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:18:57\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64899:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=8392 rcvd=253313 spkt=152 rpkt=179 cdur=2916 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=475 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "475", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 261705, + "packets": 331, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 8392, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 152, + "port": 64899 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64901:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=480 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "480", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64901 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64901:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=659 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "659", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64901 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64901 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64901:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=736 fw_action=\"drop\"", + "outcome": "success", + "sequence": "736", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64901 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64901:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=738 fw_action=\"drop\"", + "outcome": "success", + "sequence": "738", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64902:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=482 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "482", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64902 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64902:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=661 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "661", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64902 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64903:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=484 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "484", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64903 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64903:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=663 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "663", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64903 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64903 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64903:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=740 fw_action=\"drop\"", + "outcome": "success", + "sequence": "740", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64903 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64903:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=742 fw_action=\"drop\"", + "outcome": "success", + "sequence": "742", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64902 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64902:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=744 fw_action=\"drop\"", + "outcome": "success", + "sequence": "744", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:02.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64902 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:02\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64902:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=746 fw_action=\"drop\"", + "outcome": "success", + "sequence": "746", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64904:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=486 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "486", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64904 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64904:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=665 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "665", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64904 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64904 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64904:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=748 fw_action=\"drop\"", + "outcome": "success", + "sequence": "748", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64904 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64904:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=750 fw_action=\"drop\"", + "outcome": "success", + "sequence": "750", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64905:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=488 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "488", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64905 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64905:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=667 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "667", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64905 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "bytes": 16551, + "ip": "10.0.0.96", + "packets": 18, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2216000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64901:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=3243 rcvd=16551 spkt=18 rpkt=18 cdur=2216 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=477 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "477", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 19794, + "packets": 36, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 3243, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 18, + "port": 64901 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "bytes": 1394, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2133000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64903:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1871 rcvd=1394 spkt=10 rpkt=7 cdur=2133 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=479 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "479", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3265, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1871, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64903 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:04.000+02:00", + "destination": { + "bytes": 3526, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2133000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:04\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64902:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1915 rcvd=3526 spkt=11 rpkt=8 cdur=2133 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=481 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "481", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 5441, + "packets": 19, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1915, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 11, + "port": 64902 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:05.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64905 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:05\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64905:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=752 fw_action=\"drop\"", + "outcome": "success", + "sequence": "752", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:05.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64905 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:05\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64905:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=754 fw_action=\"drop\"", + "outcome": "success", + "sequence": "754", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:06.000+02:00", + "destination": { + "bytes": 1255, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2166000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:06\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64904:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1866 rcvd=1255 spkt=10 rpkt=7 cdur=2166 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=483 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "483", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3121, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1866, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64904 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:07.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:07\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.145:43466:X1 dst=10.0.0.96:443:X1 proto=tcp/https sent=60 app=12 n=490 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "490", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 60, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "10.0.0.96" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 60, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "port": 43466 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:07.000+02:00", + "destination": { + "bytes": 60, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:07\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=60 rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=669 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "669", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 60, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "10.0.0.96" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "mac": "06-08-25-81-11-30", + "port": 43466 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:07.000+02:00", + "destination": { + "bytes": 253369, + "ip": "10.0.0.96", + "packets": 180, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 3283000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:07\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64905:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=8438 rcvd=253369 spkt=153 rpkt=180 cdur=3283 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=485 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "485", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 261807, + "packets": 333, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 8438, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 153, + "port": 64905 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:08.000+02:00", + "destination": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:08\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=756 fw_action=\"drop\"", + "outcome": "success", + "sequence": "756", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "10.0.0.96" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "mac": "06-08-25-81-11-30", + "port": 43466 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:08.000+02:00", + "destination": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:08\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=758 fw_action=\"drop\"", + "outcome": "success", + "sequence": "758", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "10.0.0.96" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "mac": "06-08-25-81-11-30", + "port": 43466 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:08.000+02:00", + "destination": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:08\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https rcvd=46 rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=760 fw_action=\"drop\"", + "outcome": "success", + "sequence": "760", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "10.0.0.96" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "mac": "06-08-25-81-11-30", + "port": 43466 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:10.000+02:00", + "destination": { + "bytes": 2121, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 3050000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:10\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.145:43466:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted proto=tcp/https sent=1172 rcvd=2121 spkt=11 rpkt=8 cdur=3050 rule=\"Default Access Rule\" app=12 n=487 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "487", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3293, + "packets": 19, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.145", + "10.0.0.96" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 1172, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "mac": "06-08-25-81-11-30", + "packets": 11, + "port": 43466 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:12.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:12\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64906:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=492 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "492", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64906 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:12.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:12\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64906:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=671 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "671", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64906 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:12.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:12\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64907:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=494 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "494", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64907 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:12.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:12\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64907:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=673 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "673", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64907 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:13.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64906 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:13\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64906:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=762 fw_action=\"drop\"", + "outcome": "success", + "sequence": "762", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:13.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64906 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:13\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64906:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=764 fw_action=\"drop\"", + "outcome": "success", + "sequence": "764", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:13.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64907 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:13\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64907:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=766 fw_action=\"drop\"", + "outcome": "success", + "sequence": "766", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:13.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64907 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:13\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64907:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=768 fw_action=\"drop\"", + "outcome": "success", + "sequence": "768", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:14.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:14\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64908:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=496 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "496", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64908 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:14.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:14\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64908:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=675 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "675", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64908 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:14.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64908 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:14\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64908:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=770 fw_action=\"drop\"", + "outcome": "success", + "sequence": "770", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:14.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64908 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:14\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64908:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=772 fw_action=\"drop\"", + "outcome": "success", + "sequence": "772", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:14.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:14\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64909:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=498 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "498", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64909 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:14.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:14\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64909:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=677 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "677", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64909 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:15.000+02:00", + "destination": { + "bytes": 3542, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2166000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:15\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64906:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1885 rcvd=3542 spkt=10 rpkt=8 cdur=2166 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=489 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "489", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 5427, + "packets": 18, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1885, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64906 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:15.000+02:00", + "destination": { + "bytes": 1378, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2166000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:15\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64907:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1887 rcvd=1378 spkt=10 rpkt=7 cdur=2166 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=491 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "491", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3265, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1887, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64907 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:15.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64909 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:15\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64909:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=774 fw_action=\"drop\"", + "outcome": "success", + "sequence": "774", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:15.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64909 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:15\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64909:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=776 fw_action=\"drop\"", + "outcome": "success", + "sequence": "776", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:16.000+02:00", + "destination": { + "bytes": 1301, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2166000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:16\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64908:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1850 rcvd=1301 spkt=10 rpkt=8 cdur=2166 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=493 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "493", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3151, + "packets": 18, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1850, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64908 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:16.000+02:00", + "destination": { + "bytes": 416, + "ip": "10.0.0.96", + "packets": 8, + "port": 22 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 334116000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:16\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=89.160.20.156:43808:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334116 rule=\"Default Access Rule\" app=42 n=495 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "495", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 596, + "packets": 11, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.156", + "10.0.0.96" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "42", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 180, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "06-08-25-81-11-30", + "packets": 3, + "port": 43808 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:17.000+02:00", + "destination": { + "bytes": 253354, + "ip": "10.0.0.96", + "packets": 180, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 3266000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:17\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64909:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=8438 rcvd=253354 spkt=153 rpkt=180 cdur=3266 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=497 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "497", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 261792, + "packets": 333, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 8438, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 153, + "port": 64909 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:17.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:17\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64910:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=500 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "500", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64910 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:17.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:17\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64910:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=679 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "679", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64910 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:17.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64910 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:17\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64910:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=778 fw_action=\"drop\"", + "outcome": "success", + "sequence": "778", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:17.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64910 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:17\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64910:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=780 fw_action=\"drop\"", + "outcome": "success", + "sequence": "780", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:19.000+02:00", + "destination": { + "bytes": 16567, + "ip": "10.0.0.96", + "packets": 18, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2183000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:19\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64910:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=3243 rcvd=16567 spkt=18 rpkt=18 cdur=2183 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=499 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "499", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 19810, + "packets": 36, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 3243, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 18, + "port": 64910 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "ip": "169.254.169.254", + "nat": { + "ip": "169.254.169.254", + "port": 80 + }, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=10.0.0.96:54604:X1 natSrc=10.0.0.96:41479 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 n=502 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "502", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 52, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "169.254.169.254" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.96", + "nat": { + "ip": "10.0.0.96", + "port": 41479 + }, + "port": 54604 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "ip": "169.254.169.254", + "mac": "00-17-C5-30-F9-D9", + "nat": { + "ip": "169.254.169.254", + "port": 80 + }, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-forwarded", + "code": "1235", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54604:X1 srcZone=Untrusted natSrc=10.0.0.96:41479 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=151 fw_action=\"forward\"", + "sequence": "151", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": " (stack traffic always trusted)", + "network": { + "bytes": 52, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "169.254.169.254" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "nat": { + "ip": "10.0.0.96", + "port": 41479 + }, + "port": 54604 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "ip": "169.254.169.254", + "nat": { + "ip": "169.254.169.254", + "port": 80 + }, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=10.0.0.96:54606:X1 natSrc=10.0.0.96:58515 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 n=504 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "504", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 52, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "169.254.169.254" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.96", + "nat": { + "ip": "10.0.0.96", + "port": 58515 + }, + "port": 54606 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "ip": "169.254.169.254", + "mac": "00-17-C5-30-F9-D9", + "nat": { + "ip": "169.254.169.254", + "port": 80 + }, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-forwarded", + "code": "1235", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrc=10.0.0.96:58515 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254:80 proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"", + "sequence": "153", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": " (stack traffic always trusted)", + "network": { + "bytes": 52, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "169.254.169.254" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "nat": { + "ip": "10.0.0.96", + "port": 58515 + }, + "port": 54606 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "bytes": 416, + "ip": "10.0.0.96", + "packets": 8, + "port": 22 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 334083000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=89.160.20.156:27465:X1 srcZone=Untrusted dst=10.0.0.96:22:X1 dstZone=Untrusted proto=tcp/22 sent=180 rcvd=416 spkt=3 rpkt=8 cdur=334083 rule=\"Default Access Rule\" app=42 n=501 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "501", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 596, + "packets": 11, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "89.160.20.156", + "10.0.0.96" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "42", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 180, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "06-08-25-81-11-30", + "packets": 3, + "port": 27465 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64912:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=506 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "506", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64912 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64912:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=681 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "681", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64912 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64913:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=508 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "508", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64913 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64913:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=683 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "683", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64913 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64913 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64913:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=782 fw_action=\"drop\"", + "outcome": "success", + "sequence": "782", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64913 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64913:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=784 fw_action=\"drop\"", + "outcome": "success", + "sequence": "784", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64912 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64912:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=786 fw_action=\"drop\"", + "outcome": "success", + "sequence": "786", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64912 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64912:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=788 fw_action=\"drop\"", + "outcome": "success", + "sequence": "788", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "bytes": 916, + "ip": "169.254.169.254", + "mac": "06-08-25-81-11-30", + "nat": { + "ip": "169.254.169.254", + "port": 80 + }, + "packets": 5, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2050000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=10.0.0.96:54604:X1 natSrc=10.0.0.96:41479 dstMac=06:08:25:81:11:30 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=350 rcvd=916 spkt=5 rpkt=5 cdur=2050 app=9 n=503 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "503", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 1266, + "packets": 10, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "169.254.169.254" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 350, + "ip": "10.0.0.96", + "nat": { + "ip": "10.0.0.96", + "port": 41479 + }, + "packets": 5, + "port": 54604 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:23.000+02:00", + "destination": { + "bytes": 694, + "ip": "169.254.169.254", + "mac": "06-08-25-81-11-30", + "nat": { + "ip": "169.254.169.254", + "port": 80 + }, + "packets": 5, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2033000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:23\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=10.0.0.96:54606:X1 natSrc=10.0.0.96:58515 dstMac=06:08:25:81:11:30 dst=169.254.169.254:80:X1 natDst=169.254.169.254:80 proto=tcp/http sent=334 rcvd=694 spkt=5 rpkt=5 cdur=2033 app=9 n=505 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "505", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 1028, + "packets": 10, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "169.254.169.254" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 334, + "ip": "10.0.0.96", + "nat": { + "ip": "10.0.0.96", + "port": 58515 + }, + "packets": 5, + "port": 54606 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:24.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:24\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64914:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=510 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "510", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64914 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:24.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:24\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64914:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=685 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "685", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64914 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:24.000+02:00", + "destination": { + "ip": "10.0.0.96", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-start", + "category": [ + "network" + ], + "code": "98", + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:24\" fw=10.0.0.96 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=81.2.69.193:64915:X1 dst=10.0.0.96:443:X1 usr=\"admin\" proto=tcp/https sent=64 sess=\"Web\" app=12 n=512 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "512", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "start" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Opened", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + } + }, + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 64, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 64915 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:24.000+02:00", + "destination": { + "bytes": 64, + "ip": "10.0.0.96", + "mac": "06-6E-64-57-48-02", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-management", + "code": "526", + "original": "\u003c133\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:24\" fw=10.0.0.96 pri=5 c=16 gcat=6 m=526 msg=\"Web management request allowed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64915:X1 srcZone=Untrusted dstMac=06:6e:64:57:48:02 dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https rcvd=64 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 note=\"policyCheck\" n=687 fw_action=\"mgmt\" uuid=\"18d4ad2b-4fa2-a827-0700-0040103ce114\"", + "sequence": "687", + "severity": "5", + "timezone": "+02:00" + }, + "log": { + "level": "notice" + }, + "message": "Web management request allowed (policyCheck)", + "network": { + "bytes": 64, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web", + "uuid": "18d4ad2b-4fa2-a827-0700-0040103ce114" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "port": 64915 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:24.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64914 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:24\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64914:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=790 fw_action=\"drop\"", + "outcome": "success", + "sequence": "790", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:24.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64914 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:24\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64914:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=792 fw_action=\"drop\"", + "outcome": "success", + "sequence": "792", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:25.000+02:00", + "destination": { + "bytes": 1378, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2150000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:25\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64913:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1887 rcvd=1378 spkt=10 rpkt=7 cdur=2150 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=507 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "507", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3265, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1887, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64913 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:25.000+02:00", + "destination": { + "bytes": 3526, + "ip": "10.0.0.96", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2150000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:25\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64912:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1931 rcvd=3526 spkt=11 rpkt=8 cdur=2150 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=509 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "509", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 5457, + "packets": 19, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1931, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 11, + "port": 64912 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:25.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64915 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:25\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64915:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=794 fw_action=\"drop\"", + "outcome": "success", + "sequence": "794", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:25.000+02:00", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64915 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "category": [ + "network" + ], + "code": "713", + "kind": "event", + "original": "\u003c135\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:25\" fw=10.0.0.96 pri=7 c=512 gcat=6 m=713 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:443:X1 srcZone=Untrusted dstMac=00:17:c5:30:f9:d9 dst=81.2.69.193:64915:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=46 sess=\"Web\" rule=\"15 (WAN-\u003eWAN)\" app=12 msg=\"�\" note=\"TCP Flag(s): RST\" n=796 fw_action=\"drop\"", + "outcome": "success", + "sequence": "796", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "debug" + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-05-16T08:19:26.000+02:00", + "destination": { + "bytes": 1239, + "ip": "10.0.0.96", + "packets": 7, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "connection-end", + "category": [ + "network" + ], + "code": "537", + "duration": 2116000000, + "kind": "event", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:26\" fw=10.0.0.96 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" srcMac=06:08:25:81:11:30 src=81.2.69.193:64914:X1 srcZone=Untrusted dst=10.0.0.96:443:X1 dstZone=Untrusted usr=\"admin\" proto=tcp/https sent=1850 rcvd=1239 spkt=10 rpkt=7 cdur=2116 sess=\"Web\" rule=\"Default Access Rule\" app=12 n=511 fw_action=\"NA\" dpi=0", + "outcome": "success", + "sequence": "511", + "severity": "6", + "timezone": "+02:00", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "info" + }, + "message": "Connection Closed", + "network": { + "bytes": 3089, + "packets": 17, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "81.2.69.193", + "10.0.0.96" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "Default Access Rule" + }, + "sonicwall": { + "firewall": { + "app": "12", + "dpi": "false", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 1850, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "06-08-25-81-11-30", + "packets": 10, + "port": 64914 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + } + ] +} \ No newline at end of file diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/sonicwall_firewall/data_stream/log/_dev/test/system/test-logfile-config.yml new file mode 100644 index 00000000000..76b589b07b1 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -0,0 +1,8 @@ +service: sonicwall_firewall-logfile +input: logfile +vars: + tz_offset: "+02:00" +data_stream: + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/*.log" diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/system/test-syslog-config.yml b/packages/sonicwall_firewall/data_stream/log/_dev/test/system/test-syslog-config.yml new file mode 100644 index 00000000000..72da9fb7b67 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/system/test-syslog-config.yml @@ -0,0 +1,9 @@ +service: sonicwall_firewall-syslog +service_notify_signal: SIGHUP +input: udp +vars: + tz_offset: "+02:00" +data_stream: + vars: + syslog_port: 9514 + syslog_host: 0.0.0.0 diff --git a/packages/sonicwall_firewall/data_stream/log/agent/stream/logfile.yml.hbs b/packages/sonicwall_firewall/data_stream/log/agent/stream/logfile.yml.hbs new file mode 100644 index 00000000000..d40e62f2b96 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/agent/stream/logfile.yml.hbs @@ -0,0 +1,24 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/sonicwall_firewall/data_stream/log/agent/stream/udp.yml.hbs b/packages/sonicwall_firewall/data_stream/log/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..93707136be4 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,20 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/sonicwall_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..6b6b9fd49d3 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1307 @@ +--- +description: Pipeline for processing SonicWall firewall logs +processors: + - set: + field: ecs.version + value: "8.2.0" + + - set: + field: observer.vendor + value: SonicWall + + - set: + field: observer.product + value: SonicOS + + - set: + field: observer.type + value: firewall + + - set: + field: event.timezone + value: "{{{_conf.tz_offset}}}" + if: ctx?._conf?.tz_offset != null && ctx?._conf?.tz_offset != 'local' + + - rename: + field: message + target_field: event.original + ignore_missing: true + + - grok: + field: event.original + description: Extracts key-value pairs from original message + patterns: + - '%{KEY_VALUES:_temp_.serialized_kv}' + pattern_definitions: + KEY_VALUES: 'id=.*' + on_failure: + - fail: + message: 'unable to extract key-values from log message: {{{ _ingest.on_failure_message }}}' + + - kv: + field: _temp_.serialized_kv + description: Splits key-value pairs extracted from original message + field_split: ' +(?=[a-zA-Z0-9_-]+=)' + value_split: '=' + prefix: 'sonicwall.firewall.' + ignore_failure: false + trim_value: "\"'" + on_failure: + - fail: + message: 'unable to process key-values from log message: {{{ _ingest.on_failure_message }}}' + + - script: + lang: painless + description: Maps SonicWall fields to ECS + if: 'ctx.sonicwall?.firewall != null' + params: + arg: + - to: url.path + dpi: + - to: sonicwall.firewall.dpi + map: + '0': 'false' + '1': 'true' + dstMac: + - to: destination.mac + dstname: + - to: url.domain + dstZone: + - to: observer.egress.zone + fw: + - to: observer.hostname + fw_action: + - to: event.action + map: + forward: packet-forwarded + drop: packet-dropped + mgmt: packet-management + gcat: + - to: sonicwall.firewall.gcat + - to: sonicwall.firewall.event_group_category + map: + '1': Value + '2': System + '3': Log + '4': Security Services + '5': Users + '6': Firewall Settings + '7': Network + '8': VPN + '9': High Availability + '10': 3G/4G, Modem, and Module Firewall + '11': Wireless + '12': VoIP + '13': SSL VPN + '14': Anti-Spam + '15': WAN Acceleration + '16': SD-WAN + '17': Multi-Tenancy + id: + - to: observer.name + m: + - to: event.code + msg: + - to: message + n: + - to: event.sequence + natDst: + - to: _temp_.destination_nat_ip + natDstV6: + - to: _temp_.destination_nat_ip + natSrc: + - to: _temp_.source_nat_ip + natSrcV6: + - to: _temp_.source_nat_ip + op: + - to: http.request.method + map: + '1': 'GET' + '2': 'POST' + '3': 'HEAD' + pri: + - to: event.severity + - to: log.level + map: + '0': emergency + '1': alert + '2': critical + '3': error + '4': warning + '5': notice + '6': info + '7': debug + proto: + - to: network.transport + rcvd: + - to: destination.bytes + rpkt: + - to: destination.packets + rule: + - to: rule.id + sent: + - to: source.bytes + spkt: + - to: source.packets + srcMac: + - to: source.mac + srcZone: + - to: observer.ingress.zone + sn: + - to: observer.serial_number + time: + - to: '@timestamp' + user: + - to: user.name + usr: + - to: user.name + source: | + List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); + List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); + for (def src_field : ctx.sonicwall.firewall.entrySet()) { + def key = src_field.getKey(); + if (params[key] != null) { + boolean mapped = false; + for (def action : params[key]) { + def value = action.map == null? src_field.getValue() : action.map[src_field.getValue()]; + if (value != null) { + sets.add([ + "target": action.to, + "value": value + ]); + } + } + removes.add(key); + } + } + +# +# Source and destination information +# +# The src and dst fields have the following format: +# [:[:[:]]] +# +# For IPv6 addresses the srcV6/dstV6 fields are used. +# These contain the ip address, and optionally the src/dst +# fields are used to include extra information, leaving +# the part empty (value starts with `:`). + - script: + lang: painless + description: Extracts additional information from src and dst + params: + src: + - source.address + - source.port + - observer.ingress.interface.name + - source.domain + dst: + - destination.address + - destination.port + - observer.egress.interface.name + - destination.domain + source: | + List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); + List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); + for (def field : params.entrySet()) { + String value = ctx.sonicwall.firewall[field.getKey()]; + if (value == null) continue; + String[] parts = value.splitOnToken(":"); + List mapping = field.getValue(); + for ( int i = (int)Math.min(parts.length, mapping.size()) - 1 + ; i>=0 + ; i--) { + sets.add([ + "target": mapping[i], + "value": parts[i] + ]); + } + removes.add(field.getKey()); + } + +# +# Duration fields dur / cdur +# + - script: + lang: painless + description: Calculates event.duration + params: + destination: event.duration + sources: + - field: dur + append: '000000000' + - field: cdur + append: '000000' + source: | + List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); + List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); + Map base = ctx.sonicwall?.firewall; + if (base == null) return; + for (def entry : params.sources) { + if (base.containsKey(entry.field)) { + sets.add([ + "target": params.destination, + "value": base[entry.field] + entry.append + ]); + } + removes.add(entry.field); + } + + - foreach: + field: _temp_.removes + processor: + remove: + field: 'sonicwall.firewall.{{{ _ingest._value }}}' + ignore_missing: true + + - foreach: + field: _temp_.sets + processor: + set: + field: '{{{ _ingest._value.target }}}' + value: '{{{ _ingest._value.value }}}' + + - set: + field: source.address + copy_from: sonicwall.firewall.srcV6 + override: true + ignore_failure: true + + - set: + field: destination.address + copy_from: sonicwall.firewall.dstV6 + override: true + ignore_failure: true + + - date: + field: '@timestamp' + formats: + - 'yyyy-MM-dd HH:mm:ss VV' + - 'yyyy-MM-dd HH:mm:ss' + - ISO8601 + timezone: '{{{_conf.tz_offset}}}' + if: 'ctx._conf?.tz_offset != null && ctx._conf.tz_offset != "local"' + on_failure: + - append: + field: error.message + value: 'failed to parse time field ({{{ @timestamp }}}): {{{ _ingest.on_failure_message }}}' + - date: + field: '@timestamp' + formats: + - 'yyyy-MM-dd HH:mm:ss VV' + - 'yyyy-MM-dd HH:mm:ss' + - ISO8601 + if: 'ctx._conf?.tz_offset == null || ctx._conf.tz_offset == "local"' + on_failure: + - append: + field: error.message + value: 'failed to parse time field ({{{ @timestamp }}}): {{{ _ingest.on_failure_message }}}' + +# +# Validate IP addresses +# + - convert: + field: observer.hostname + target_field: observer.ip + type: ip + ignore_missing: true + ignore_failure: true + + - remove: + field: observer.hostname + if: 'ctx.observer?.ip != null' + + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + ignore_failure: true + + - remove: + field: source.address + if: 'ctx.source?.ip != null' + + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_missing: true + ignore_failure: true + + - remove: + field: destination.address + if: 'ctx.destination?.ip != null' + +# +# Geoip enrichment +# + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + +# +# Convert MAC addresses +# + - uppercase: + field: source.mac + ignore_missing: true + + - gsub: + field: source.mac + pattern: ':' + replacement: '-' + ignore_missing: true + + - uppercase: + field: destination.mac + ignore_missing: true + + - gsub: + field: destination.mac + pattern: ':' + replacement: '-' + ignore_missing: true + +# +# Process proto field +# + - grok: + field: network.transport + description: Extracts transport and protocol information from proto field + patterns: + # transport/portnum (discard port) + - '^%{NOSLASH_WORD:network.transport}/%{NUMBER}$' + # transport/proto + - '^%{NOSLASH_WORD:network.transport}/%{NOSLASH_WORD:network.protocol}$' + # fallback (no pattern match): Keep everything in .transport + pattern_definitions: + NOSLASH_WORD: '[^/]*' + ignore_failure: true + +# +# Extract optional (undocumented) port in nat fields. +# + - grok: + field: _temp_.source_nat_ip + description: Extracts optional port number from src nat field + ignore_missing: true + patterns: + - '^%{IPV4:source.nat.ip}:%{POSINT:source.nat.port}$' + - '^\[%{IPV6:source.nat.ip}\]:%{POSINT:source.nat.port}$' + on_failure: + - convert: + field: _temp_.source_nat_ip + type: ip + + - grok: + field: _temp_.destination_nat_ip + description: Extracts optional port number from dst nat field + ignore_missing: true + patterns: + - '^%{IPV4:destination.nat.ip}:%{POSINT:destination.nat.port}$' + - '^\[%{IPV6:destination.nat.ip}\]:%{POSINT:destination.nat.port}$' + on_failure: + - convert: + field: _temp_.destination_nat_ip + type: ip + +# +# Validate integer fields +# + - convert: + field: source.bytes + type: long + ignore_missing: true + on_failure: + - remove: + field: source.bytes + + - convert: + field: source.port + type: integer + ignore_missing: true + on_failure: + - remove: + field: source.port + + - convert: + field: source.nat.port + type: integer + ignore_missing: true + on_failure: + - remove: + field: source.nat.port + + - convert: + field: source.packets + type: long + ignore_missing: true + on_failure: + - remove: + field: source.packets + + - convert: + field: destination.bytes + type: long + ignore_missing: true + on_failure: + - remove: + field: destination.bytes + + - convert: + field: destination.port + type: integer + ignore_missing: true + on_failure: + - remove: + field: destination.port + + - convert: + field: destination.nat.port + type: integer + ignore_missing: true + on_failure: + - remove: + field: destination.nat.port + + - convert: + field: destination.packets + type: long + ignore_missing: true + on_failure: + - remove: + field: destination.packets + + - convert: + field: event.duration + type: long + ignore_missing: true + on_failure: + - remove: + field: event.duration + + - script: + lang: painless + description: Aggregates bytes/packets counters + params: + keys: + - bytes + - packets + from: + - source + - destination + to: network + source: | + for (def src : params.from) { + for (def key : params.keys) { + def v = null; + if (ctx[src] != null && (v = ctx[src][key]) != null && v instanceof Long) { + if (ctx[params.to] == null || !(ctx[params.to] instanceof Map)) { + ctx[params.to] = new HashMap(); + } + if (ctx[params.to][key] == null || !(ctx[params.to][key] instanceof Long)) { + ctx[params.to][key] = v; + } else { + ctx[params.to][key] += v; + } + } + } + } + +# +# Extends message field with note +# + - set: + field: message + description: Extends message field with note + value: '{{{ message }}} ({{{ sonicwall.firewall.note }}})' + override: true + if: 'ctx.message != null && ctx.sonicwall?.firewall?.note != null' + - set: + field: message + value: '{{{ sonicwall.firewall.note }}}' + ignore_empty_value: true + override: false + +# +# ECS event categorization by message type +# + - script: + lang: painless + description: Fills ECS categorization fields depending on message Event ID + params: + event_types: + internal-log-success: + kind: event + category: + - host + type: + - info + outcome: success + internal-log-failure: + kind: event + category: + - host + type: + - info + outcome: failure + login-success: + kind: event + category: + - authentication + type: + - start + - info + outcome: success + login-failure: + kind: event + category: + - authentication + type: + - start + - info + outcome: failure + logout: + kind: event + category: + - authentication + type: + - end + - info + outcome: success + user-account-locked: + kind: event + category: + - iam + type: + - info + - user + outcome: success + user-account-unlocked: + kind: event + category: + - iam + type: + - info + - user + outcome: success + user-account-enabled: + kind: event + category: + - iam + type: + - info + - user + outcome: success + user-account-disabled: + kind: event + category: + - iam + type: + - info + - user + outcome: success + user-account-created: + kind: event + category: + - iam + type: + - info + - user + - deletion + outcome: success + user-account-changed: + kind: event + category: + - iam + type: + - info + - user + - change + outcome: success + user-account-change-failure: + kind: event + category: + - iam + type: + - info + - user + - change + outcome: failure + admin-account-changed: + kind: event + category: + - iam + type: + - info + - user + - change + - admin + outcome: success + user-account-deleted: + kind: event + category: + - iam + type: + - info + - user + - deletion + outcome: success + session-start: + kind: event + category: + - session + type: + - start + outcome: success + session-end: + kind: event + category: + - session + type: + - end + outcome: success + attack-detected: + kind: alert + category: + - intrusion_detection + type: + - info + outcome: success + attack-blocked: + kind: alert + category: + - intrusion_detection + type: + - denied + outcome: success + connection-start: + kind: event + category: [ network ] + type: + - connection + - start + outcome: success + connection-end: + kind: event + category: [ network ] + type: + - connection + - end + outcome: success + connection-denied: + kind: event + category: [ network ] + type: + - connection + - denied + outcome: success + packet-dropped: + kind: event + category: [ network ] + type: + - denied + outcome: success + connection-info: + kind: event + category: [ network ] + type: + - connection + - info + outcome: success + malware-info: + kind: alert + category: + - malware + type: + - info + outcome: success + config-change: + kind: event + category: + - configuration + type: + - change + outcome: success + config-change-failure: + kind: event + category: + - configuration + type: + - change + outcome: failure + config-info: + kind: event + category: + - configuration + type: + - info + outcome: success + config-delete: + kind: event + category: + - configuration + type: + - deletion + outcome: success + config-add: + kind: event + category: + - configuration + type: + - creation + outcome: success + + message_codes: + # CSV table of SonicOS messages obtained by scraping the pdf docs + # https://gist.github.com/adriansr/d7ad20e15fca1ef2df6a4cdeb53b2989 + + # Firewall + "646": packet-dropped # 646,Firewall,Access Rules,System Error,WARNING,5238,Source IP Connection Limit,Packet dropped; connection limit for this source IP address has been reached + "647": packet-dropped # 647,Firewall,Access Rules,System Error,WARNING,5239,Destination IP Connection Limit,Packet dropped; connection limit for this destination IP address has been reached + "734": connection-info # 734,Firewall,Access Rules,---,WARNING,---,Source Connection Status,Source IP address connection status: %s + "735": packet-dropped # 735,Firewall,Access Rules,---,WARNING,---,Destination Connection Status,Destination IP address connection status: %s + "45": connection-info # 45,Network,ARP,Debug,DEBUG,7002,ARP Failure,ARP Timeout + "815": connection-info # 815,Network,ARP,---,WARNING,7022,Too Many Gratuitous ARPs Detected,Too many gratuitous ARPs detected + "428": packet-dropped # 428,Firewall Settings,Advanced,Debug,WARNING,6424,Drop Source Route Packet,Source routed IP packet dropped + "1473": packet-dropped # 1473,Firewall Settings,Advanced,Debug,INFO,---,Drop Source IP Subnet Broadcast,Source IP is a subnet broadcast address + "1573": packet-dropped # 1573,Firewall Settings,Advanced,Debug,INFO,---,Drop All IPv6 Traffic,IPv6 packet dropped due to IPv6 traffic processing is disabled on this firewall + "1576": packet-dropped # 1576,Firewall Settings,Advanced,Debug,INFO,---,Drop Record Route Packet,Record routed IP packet dropped + + # Network Access + "41": packet-dropped # 41,Network,Network Access,Debug,NOTICE,7214,Unknown Protocol Dropped,Unknown protocol dropped + "46": packet-dropped # 46,Network,Network Access,Debug,DEBUG,7217,Broadcast Packets Dropped,Broadcast packet dropped + "98": connection-start # 98,Network,Network Access,Connection,INFO,7402,Connection Opened,Connection Opened + "347": packet-dropped # 347,Network,Network Access,TCP | UDP | ICMP,WARNING,7225,Drop Clear Packet,Port configured to receive IPsec protocol ONLY; drop packet received in the clear + "537": connection-end # 537,Network,Network Access,Connection Traffic,INFO,7403,Connection Closed,Connection Closed + "590": packet-dropped # 590,Network,Network Access,LAN UDP | LAN TCP,NOTICE,7232,LAN IP Deny,IP type %s packet dropped + "714": packet-dropped # 714,Network,Network Access,Debug,NOTICE,7236,EIGRP Packet Drop,EIGRP packet dropped + "1304": packet-dropped # 1304,Network,Network Access,Debug,ALERT,---,Packet Dropped Due to NDPP Rules,Packet is dropped due to NDPP rules. + + # Checksum Enforcement + "883": packet-dropped # 883,Firewall Settings,Checksum Enforcement,TCP|UDP,NOTICE,7243,IP Checksum Error,IP Header checksum error; packet dropped + "884": packet-dropped # 884,Firewall Settings,Checksum Enforcement,TCP,NOTICE,7244,TCP Checksum Error,TCP checksum error; packet dropped + "885": packet-dropped # 885,Firewall Settings,Checksum Enforcement,UDP,NOTICE,7245,UDP Checksum Error,UDP checksum error; packet dropped + "886": packet-dropped # 886,Firewall Settings,Checksum Enforcement,UDP,NOTICE,7246,ICMP Checksum Error,ICMP checksum error; packet dropped + "1448": packet-dropped # 1448,Firewall Settings,Checksum Enforcement,UDP,NOTICE,---,UDPv6 Checksum Error,UDPv6 checksum error; packet dropped + "1449": packet-dropped # 1449,Firewall Settings,Checksum Enforcement,UDP,NOTICE,---,ICMPv6 Checksum Error,ICMPv6 checksum error; packet dropped + + # Geo-IP Filter + "1198": connection-denied # 1198,Security Services,Geo-IP Filter,---,ALERT,---,Geo IP Initiator Blocked,Initiator from country blocked: %s + "1199": connection-denied # 1199,Security Services,Geo-IP Filter,---,ALERT,---,Geo IP Responder Blocked,Responder from country blocked: %s + "1474": connection-denied # 1474,Security Services,Geo-IP Filter,---,ALERT,---,Custom Geo IP Initiator Blocked,"Initiator from country blocked: %s, Source: Custom List" + "1475": connection-denied # 1475,Security Services,Geo-IP Filter,---,ALERT,---,Custom Geo IP Responder Blocked,"Responder from country blocked: %s, Source: Custom List" + + # ICMP + "38": packet-dropped # 38,Network,ICMP,ICMP,NOTICE,7211,ICMP Packets Dropped,ICMP packet dropped due to Policy + "63": packet-dropped # 63,Network,ICMP,Debug,DEBUG,7003,ICMP Too Big,Received fragmented packet or fragmentation needed + "175": packet-dropped # 175,Network,ICMP,LAN ICMP | LAN TCP,NOTICE,7224,LAN ICMP Deny,ICMP packet from LAN dropped + "182": connection-info # 182,Network,ICMP,User Activity,INFO,7006,Path MTU Receive,Received a path MTU ICMP message from router/gateway + "188": connection-info # 188,Network,ICMP,User Activity,INFO,7007,Path MTU ICMP,Received a path MTU ICMP message from router/gateway + "523": packet-dropped # 523,Network,ICMP,ICMP,NOTICE,7227,No Match ICMP Drop,ICMP packet dropped no match + "597": connection-info # 597,Network,ICMP,Debug,INFO,7233,ICMP Allow,ICMP packet allowed + "598": connection-info # 598,Network,ICMP,Debug,INFO,7234,LAN ICMP Allow,ICMP packet from LAN allowed + "1254": packet-dropped # 1254,Network,ICMP,---,INFO,---,LAN ICMPv6 Deny,ICMPv6 packet from LAN dropped + "1255": connection-info # 1255,Network,ICMP,---,INFO,---,LAN ICMPv6 Allow,ICMPv6 packet from LAN allowed + "1256": connection-info # 1256,Network,ICMP,---,INFO,---,ICMPv6 Allow,ICMPv6 packet allowed + "1257": packet-dropped # 1257,Network,ICMP,---,INFO,---,ICMPv6 Packets Dropped,ICMPv6 packet dropped due to policy + "1431": connection-info # 1431,Network,ICMP,---,INFO,---,ICMPv6 Packets Received,ICMPv6 packet received + "1433": packet-dropped # 1433,Network,ICMP,---,NOTICE,---,NDP Packets Dropped,%s + "1458": connection-info # 1458,Network,ICMP,---,NOTICE,---,NDP Packets Received,%s + + # IP + "28": packet-dropped # 28,Network,IP,TCP | UDP | ICMP,NOTICE,7001,Fragmented Packet,Fragmented packet dropped + "522": packet-dropped # 522,Network,IP,Debug,INFO,554,Malformed IP Packet,Malformed or unhandled IP packet dropped + "910": packet-dropped # 910,Network,IP,Debug,NOTICE,7037,IP TTL Expire,Packet Dropped - IP TTL expired + "1301": packet-dropped # 1301,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Reserved IP,Source or Destination IPv6 address is reserved by RFC 4291. Packet is dropped + "1302": packet-dropped # 1302,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Unspecified Destination IP,Destination IPv6 address is unspecified. Packet is dropped + "1303": packet-dropped # 1303,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Unspecified Source IP,Source IPv6 address is unspecified but this packet is not Neighbor Solicitation message for DAD. Packet is dropped + "1429": packet-dropped # 1429,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Site Local IP,Source or Destination IPv6 address is site-local unicast address. Packet is dropped + "1430": packet-dropped # 1430,Network,IP,Debug,INFO,---,IPv6 Packet with Ext Header,IPv6 Packet with extension header received + + # IPcomp + "651": packet-dropped # 651,Network,IPcomp,Debug,DEBUG,12401,IPcomp Interrupt Error,IPcomp connection interrupt + "652": packet-dropped # 652,Network,IPcomp,TCP | UDP | ICMP,NOTICE,12402,IPcomp Packet Drop,IPcomp packet dropped + "653": packet-dropped # 653,Network,IPcomp,Debug,DEBUG,12403,"IPcomp Packet Drop, Waiting",IPcomp packet dropped; waiting for pending IPcomp connection + + # IPv6 Tunneling + "1253": packet-dropped # 1253,Network,IPv6 Tunneling,---,NOTICE,---,IPv6 Tunnel Dropped,IPv6 Tunnel packet dropped + + # Multicast + "683": packet-dropped # 683,Firewall Settings,Multicast,---,NOTICE,10608,Wrong IGMP Checksum,"IGMP packet dropped, wrong checksum received on interface %s" + "690": packet-dropped # 690,Firewall Settings,Multicast,---,NOTICE,10615,UDP Packet Drop,"Multicast UDP packet dropped, no state entry" + "694": packet-dropped # 694,Firewall Settings,Multicast,---,WARNING,10619,RTP Stateful Failed,"Multicast UDP packet dropped, RTP stateful failed" + "1233": packet-dropped # 1233,Firewall Settings,Multicast,Debug,NOTICE,---,Link-Local/Mult icast IPv6 Packet,Unhandled link-local or multicast IPv6 packet dropped + + # NAT + "339": packet-dropped # 339,Network,NAT,Debug,DEBUG,7008,NAT Overwrite,"NAT translated packet exceeds size limit, packet dropped" + "1197": connection-info # 1197,Network,NAT,---,NOTICE,---,Connection NAT Mapping,NAT Mapping + "1436": packet-dropped # 1436,Network,NAT,Debug,DEBUG,---,NAT Policy Dropped Packets,"Packet dropped by NAT Policy, reason: %s" + + # NAT Policy + "1313": config-add # 1313,Network,NAT Policy,---,INFO,---,NAT Policy Add,NAT policy added + "1314": config-change # 1314,Network,NAT Policy,---,INFO,---,NAT Policy Modify,NAT policy modified + "1315": config-delete # 1315,Network,NAT Policy,---,INFO,---,NAT Policy Delete,NAT policy deleted + + # TCP + "36": connection-end # 36,Network,TCP,TCP,NOTICE,7209,TCP Packets Dropped,TCP connection dropped + "48": packet-dropped # 48,Network,TCP,Debug,DEBUG,7218,Out of Order Packets Dropped,Out-of-order command packet dropped + "173": connection-denied # 173,Network,TCP,LAN TCP,NOTICE,7222,LAN TCP Deny,TCP connection from LAN denied + "181": packet-dropped # 181,Network,TCP,Debug,DEBUG,7005,TCP FIN Drop,TCP FIN packet dropped + "524": connection-denied # 524,Network,Network Access,TCP,NOTICE,7228,Web Request Drop,Web access Request dropped + "580": packet-dropped # 580,Network,TCP,Attack,ALERT,558,TCP SYN/FIN Packet Drop,TCP SYN/FIN packet dropped + "708": packet-dropped # 708,Network,TCP,Debug,DEBUG,7010,TCP Invalid SEQ Number,TCP packet received with invalid SEQ number; TCP packet dropped + "709": packet-dropped # 709,Network,TCP,Debug,DEBUG,7011,TCP Invalid ACK Number,TCP packet received with invalid ACK number; TCP packet dropped + "712": connection-denied # 712,Network,TCP,Debug,DEBUG,7014,TCP Connection Reject,TCP connection reject received; TCP connection dropped + "713": connection-denied # 713,Network,TCP,Debug,DEBUG,7015,TCP Connection Abort,TCP connection abort received; TCP connection dropped + "760": connection-denied # 760,Network,TCP,---,NOTICE,7240,TCP Handshake Violation Detected,TCP handshake violation detected; TCP connection dropped + "887": packet-dropped # 887,Network,TCP,Debug,DEBUG,7026,Invalid TCP Header Length,TCP packet received with invalid header length; TCP packet dropped + "888": packet-dropped # 888,Network,TCP,Debug,DEBUG,7027,TCP Connection Does Not Exist,TCP packet received on non-existent/closed connection; TCP packet dropped + "889": packet-dropped # 889,Network,TCP,Debug,DEBUG,7028,TCP Without Mandatory SYN Flag,TCP packet received without mandatory SYN flag; TCP packet dropped + "890": packet-dropped # 890,Network,TCP,Debug,DEBUG,7029,TCP Without Mandatory ACK Flag,TCP packet received without mandatory ACK flag; TCP packet dropped + "891": packet-dropped # 891,Network,TCP,Debug,DEBUG,7030,TCP Packet on Closing Connection,TCP packet received on a closing connection; TCP packet dropped + "892": packet-dropped # 892,Network,TCP,Debug,INFO,7031,SYN Flag on Existing Connection,TCP packet received with SYN flag on an existing connection; TCP packet dropped + "893": packet-dropped # 893,Network,TCP,Debug,DEBUG,7032,Invalid TCP SACK Option Length,TCP packet received with invalid SACK option length; TCP packet dropped + "894": packet-dropped # 894,Network,TCP,Debug,DEBUG,7033,Invalid TCP MSS Option Length,TCP packet received with invalid MSS option length; TCP packet dropped + "895": packet-dropped # 895,Network,TCP,Debug,DEBUG,7034,Invalid TCP Option Length,TCP packet received with invalid option length; TCP packet dropped + "896": packet-dropped # 896,Network,TCP,Debug,DEBUG,7035,Invalid TCP Source Port,TCP packet received with invalid source port; TCP packet dropped + "1029": packet-dropped # 1029,Network,TCP,Debug,DEBUG,7038,Non-Permitted Option TCP Packet,TCP packet received with non-permitted option; TCP packet dropped + "1030": packet-dropped # 1030,Network,TCP,Debug,DEBUG,7039,Invalid TCP Window Scale Option Length,TCP packet received with invalid Window Scale option length; TCP packet dropped + "1031": packet-dropped # 1031,Network,TCP,Debug,DEBUG,7040,Invalid TCP Window Scale Option Value,TCP packet received with invalid Window Scale option value; TCP packet dropped + "1384": packet-dropped # 1384,Network,TCP,Debug,DEBUG,---,Invalid TCP Timestamps Option Length,TCP packet received with invalid Timestamps option length; TCP packet dropped + "1385": packet-dropped # 1385,Network,TCP,Debug,DEBUG,---,TCP Sequence Number Wrapped,TCP packet received with wrapped sequence number; TCP packet dropped + "1628": packet-dropped # 1628,Network,TCP,Debug,DEBUG,---,TCP SYN Packet With Data,TCP SYN packet received with data; TCP packet dropped + "1629": packet-dropped # 1629,Network,TCP,Debug,DEBUG,---,TCP Urgent Flag or Pointer,TCP packet received with Urgent flag or pointer; TCP packet dropped + + # Content Filter + "14": connection-denied # 14,Security Services,Content Filter,Blocked Sites,ERROR,701,Website Blocked,Web site access denied + "16": connection-info # 16,Security Services,Content Filter,Blocked Sites,NOTICE,703,Website Accessed,Web site access allowed + "1599": config-add # 1599,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Added,CFS policy added + "1600": config-change # 1600,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Modified,CFS policy modified + "1601": config-change # 1601,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Deleted,CFS policy deleted + + # RBL Filter + "797": connection-denied # 797,Security Services,RBL Filter,---,NOTICE,12001,Outbound Connection Drop,Outbound connection to RBL-listed SMTP server dropped + "798": connection-denied # 798,Security Services,RBL Filter,---,NOTICE,12002,Inbound Connection Drop,Inbound connection from RBL-listed SMTP server dropped + + # Attacks + "22": attack-blocked # 22,Security Services,Attacks,Attack,ALERT,501,Ping of Death Blocked,Ping of death dropped + "23": attack-blocked # 23,Security Services,Attacks,Attack,ALERT,502,IP Spoof Detected,IP spoof dropped + "27": attack-blocked # 27,Security Services,Attacks,Attack,ALERT,505,Land Attack,Land attack dropped + "81": attack-blocked # 81,Security Services,Attacks,Attack,ALERT,520,Smurf Attack,Smurf Amplification attack dropped + "82": attack-detected # 82,Security Services,Attacks,Attack,ALERT,521,Port Scan Possible,Possible port scan detected + "83": attack-detected # 83,Security Services,Attacks,Attack,ALERT,522,Port Scan Probable,Probable port scan detected + "177": attack-detected # 177,Security Services,Attacks,Attack,ALERT,528,TCP FIN Scan,Probable TCP FIN scan detected + "178": attack-detected # 178,Security Services,Attacks,Attack,ALERT,529,TCP Xmas Scan,Probable TCP XMAS scan detected + "179": attack-detected # 179,Security Services,Attacks,Attack,ALERT,530,TCP Null Scan,Probable TCP NULL scan detected + "267": attack-blocked # 267,Security Services,Attacks,Attack,ALERT,547,TCP Xmas Tree Attack,TCP Xmas Tree dropped + "606": attack-blocked # 606,Security Services,Attacks,Attack,ALERT,568,Spank Attack,Spank attack multicast packet dropped + "1316": attack-detected # 1316,Network,ARP,---,ALERT,---,ARP Attack Detected,Possible ARP attack from MAC address %s + "1373": attack-detected # 1373,Security Services,Attacks,Attack,ALERT,---,IPv6 fragment size is less than minimum (<1280),"IPv6 fragment dropped, invalid length (<1280 Bytes)" + "1374": attack-detected # 1374,Security Services,Attacks,Attack,ALERT,---,IP Reassembly : Incomplete IGMP fragment,"IGMP packet dropped, incomplete fragments" + "1375": attack-detected # 1375,Security Services,Attacks,Attack,ALERT,---,UDP fragmented datagram is too big (>65535),"UDP fragment dropped, exceeds maximum IP datagram size (>65535)" + "1376": attack-blocked # 1376,Security Services,Attacks,Attack,ALERT,---,Nestea/Teardro p Attack,Nestea/Teardrop attack dropped + "1387": attack-blocked # 1387,Security Services,Attacks,Attack,ALERT,---,TCP Null Flag Attack,TCP Null Flag dropped + "1471": attack-detected # 1471,Security Services,Attacks,Attack,ALERT,---,External IDS,External IDS: %s + "229": attack-blocked # 229,VPN,DHCP Relay,Attack,WARNING,533,DHCPR IP Spoof,"IP spoof detected on packet to Central Gateway, packet dropped" + "1098": attack-detected # 1098,Network,DNS,---,ALERT,6465,DNS Rebind Attack Detected,Possible DNS rebind attack detected + "1099": attack-blocked # 1099,Network,DNS,---,ALERT,6466,DNS Rebind Attack Blocked,DNS rebind attack blocked + "1593": attack-detected # 1593,Network,DNS Security,Maintenance,NOTICE,---,DNS Tunnel Attack,Find DNS tunnel attack - %s + "446": attack-blocked # 446,Firewall Settings,FTP,Attack,ERROR,551,FTP Passive Attack,FTP: PASV response spoof attack dropped + "527": attack-blocked # 527,Firewall Settings,FTP,Attack,ALERT,555,FTP Port Bounce Attack,FTP: PORT bounce attack dropped. + "528": attack-blocked # 528,Firewall Settings,FTP,Attack,ALERT,556,FTP Passive Bounce Attack,FTP: PASV response bounce attack dropped. + "538": attack-blocked # 538,Firewall Settings,FTP,Attack,ALERT,557,FTP Data Port,FTP: Data connection from non default port dropped + + # IDP + "789": attack-detected # 789,Security Services,IDP,Attack,ALERT,6435,IDP Detection Alert,IDP Detection Alert: %s + "790": attack-blocked # 790,Security Services,IDP,Attack,ALERT,6436,IDP Prevention Alert,IDP Prevention Alert: %s + + # IPS + "608": attack-detected # 608,Security Services,IPS,Attack,ALERT,569,IPS Detection Alert,IPS Detection Alert: %s + "609": attack-blocked # 609,Security Services,IPS,Attack,ALERT,570,IPS Prevention Alert,IPS Prevention Alert: %s + + + # Flood Protection + "25": attack-detected # 25,Firewall Settings,Flood Protection,Attack,WARNING,503,Possible SYN Flood,Possible SYN flood attack detected + "856": config-change # 856,Firewall Settings,Flood Protection,Attack,WARNING,6439,SYN Flood Watch Mode,SYN Flood Mode changed by user to: Watch and report possible SYN floods + "857": config-change # 857,Firewall Settings,Flood Protection,Attack,WARNING,6440,SYN Flood Trigger Mode,SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack + "858": config-change # 858,Firewall Settings,Flood Protection,Attack,WARNING,6441,SYN Flood Proxy Mode,SYN Flood Mode changed by user to: Always proxy WAN connections + "859": attack-detected # 859,Firewall Settings,Flood Protection,Attack,ALERT,6442,SYN Flood Proxy Trigger Mode,Possible SYN flood detected on WAN IF %s - switching to connection-proxy mode + "860": attack-detected # 860,Firewall Settings,Flood Protection,Attack,ALERT,6443,SYN Flood Detected,Possible SYN Flood on IF %s + "862": config-change # 862,Firewall Settings,Flood Protection,Attack,WARNING,6445,SYN Flood Blacklist On,SYN Flood blacklisting enabled by user + "863": config-change # 863,Firewall Settings,Flood Protection,Attack,WARNING,6446,SYN Flood Blacklist Off,SYN Flood blacklisting disabled by user + "864": attack-blocked # 864,Firewall Settings,Flood Protection,Attack,ALERT,6447,SYN-Flooding Machine Blacklisted,SYN-Flooding machine %s blacklisted + "897": attack-detected # 897,Firewall Settings,Flood Protection,Attack,INFO,7036,Invalid TCP SYN Flood Cookie,TCP packet received with invalid SYN Flood cookie; TCP packet dropped + "898": attack-blocked # 898,Firewall Settings,Flood Protection,Attack,ALERT,6453,RST-Flooding Machine Blacklisted,RST-Flooding machine %s blacklisted + "901": attack-blocked # 901,Firewall Settings,Flood Protection,Attack,ALERT,6456,FIN-Flooding Machine Blacklisted,FIN-Flooding machine %s blacklisted + "904": attack-detected # 904,Firewall Settings,Flood Protection,Attack,ALERT,6459,Possible RST Flood,Possible RST Flood on IF %s + "905": attack-detected # 905,Firewall Settings,Flood Protection,Attack,ALERT,6460,Possible FIN Flood,Possible FIN Flood on IF %s + "1180": attack-blocked # 1180,Firewall Settings,Flood Protection,---,ALERT,---,DOS Protection on WAN Begin,DOS protection on WAN begins %s + "1213": attack-detected # 1213,Firewall Settings,Flood Protection,Attack,ALERT,---,UDP Flood Detected,Possible UDP flood attack detected + "1214": attack-detected # 1214,Firewall Settings,Flood Protection,Attack,ALERT,---,ICMP Flood Detected,Possible ICMP flood attack detected + "1366": attack-blocked # 1366,Firewall Settings,Flood Protection,Attack,ALERT,---,TCP-Flooding Machine Blacklisted,TCP-Flooding machine %s blacklisted + "1369": attack-detected # 1369,Firewall Settings,Flood Protection,Attack,ALERT,---,Possible TCP Flood,Possible TCP Flood on IF %s + "1450": attack-detected # 1450,Firewall Settings,Flood Protection,Attack,ALERT,---,UDPv6 Flood Detected,Possible UDPv6 flood attack detected + "1451": attack-detected # 1451,Firewall Settings,Flood Protection,Attack,ALERT,---,ICMPv6 Flood Detected,Possible ICMPv6 flood attack detected + "1452": attack-detected # 1452,Firewall Settings,Flood Protection,Attack,ALERT,---,Half Open TCP Connection Threshold Exceeded,Too many half-open TCP connections + + # RF Monitoring + "879": attack-detected # 879,Wireless,RF Monitoring,---,WARNING,---,WLAN Radio Frequency Threat Detected,WLAN radio frequency threat detected + + # WLAN + "1363": attack-detected # 1363,Wireless,WLAN,802.11b Management,ALERT,---,WLAN 802.11 Flood,Wireless Flood Attack + + # WLAN IDS + "546": attack-detected # 546,Wireless,WLAN IDS,WLAN IDS,ALERT,901,Rogue AP or MitM AP Found,Found Rogue or MitM Access Point + "548": attack-detected # 548,Wireless,WLAN IDS,WLAN IDS,ALERT,903,WLAN Association Flood,Association Flood from WLAN station + + # Authentication Access + "24": logout # 24,Users,Authentication Access,User Activity,INFO,4201,User Disconnect Detected,User logged out - user disconnect detected + "29": login-success # 29,Users,Authentication Access,User Activity,INFO,4202,Successful Admin Login,Administrator login allowed + "30": login-failure # 30,Users,Authentication Access,Attack,ALERT,560,Wrong Admin Password,Administrator login denied due to bad credentials + "31": login-success # 31,Users,Authentication Access,User Activity,INFO,4204,Successful User Login,User login from an internal zone allowed + "32": login-failure # 32,Users,Authentication Access,User Activity,INFO,4205,Wrong User Password,User login denied due to bad credentials + "33": login-failure # 33,Users,Authentication Access,User Activity,INFO,4206,Unknown User Login Attempt,User login denied due to bad credentials + "34": login-failure # 34,Users,Authentication Access,User Activity,INFO,4207,Login Timeout,Pending login timed out + "35": login-failure # 35,Users,Authentication Access,Attack,ALERT,506,Admin Login Disabled,Administrator login denied from %s; logins disabled from this interface + "199": login-success # 199,Users,Authentication Access,User Activity,INFO,4209,Admin Login From CLI,CLI administrator login allowed + "200": login-failure # 200,Users,Authentication Access,User Activity,WARNING,4210,Admin Password Error From CLI,CLI administrator login denied due to bad credentials + "235": login-success # 235,Users,Authentication Access,User Activity,INFO,4211,Admin VPN Login,VPN zone administrator login allowed + "236": login-success # 236,Users,Authentication Access,User Activity,INFO,4212,Admin WAN Login,WAN zone administrator login allowed + "237": login-success # 237,Users,Authentication Access,User Activity,INFO,4213,User VPN Login,VPN zone remote user login allowed + "238": login-success # 238,Users,Authentication Access,User Activity,INFO,4214,User WAN Login,WAN zone remote user login allowed + "246": login-failure # 246,Users,Authentication Access,User Activity,INFO,8204,User Login From Wrong Location,User login denied - User has no privileges for login from that location + "261": logout # 261,Users,Authentication Access,User Activity,INFO,4215,Admin Logout,Administrator logged out + "262": logout # 262,Users,Authentication Access,User Activity,INFO,4216,Admin Logout - Timer Expire,Administrator logged out - inactivity timer expired + "263": logout # 263,Users,Authentication Access,User Activity,INFO,4217,User Logout,User logged out - %s + "264": logout # 264,Users,Authentication Access,User Activity,INFO,4218,User Logout - Max Session,User logged out - max session time exceeded + "265": logout # 265,Users,Authentication Access,User Activity,INFO,4219,User Logout - Timer Expire,User logged out - inactivity timer expired + "328": admin-account-changed # 328,Users,Authentication Access,Maintenance,INFO,4220,Admin Name Change,Administrator name changed + "329": login-failure # 329,Users,Authentication Access,Attack,ERROR,561,User Login Lockout,User login failure rate exceeded - logins from user IP address denied + "438": user-account-unlocked # 438,Users,Authentication Access,User Activity,INFO,4222,User Login Lockout Expired,Locked-out user logins allowed - lockout period expired + "439": user-account-unlocked # 439,Users,Authentication Access,User Activity,INFO,4223,User Login Lockout Clear,Locked-out user logins allowed by %s + "486": login-failure # 486,Users,Authentication Access,User Activity,INFO,4224,WLAN User Login Deny,User login denied - User has no privileges for guest service + "506": config-change # 506,Users,Authentication Access,Maintenance,INFO,4225,VPN Disabled,VPN disabled by administrator + "507": config-change # 507,Users,Authentication Access,Maintenance,INFO,4226,VPN Enabled,VPN enabled by administrator + "508": config-change # 508,Users,Authentication Access,Maintenance,INFO,4227,WLAN Disabled,WLAN disabled by administrator + "509": config-change # 509,Users,Authentication Access,Maintenance,INFO,4228,WLAN Enabled,WLAN enabled by administrator + "520": logout # 520,Users,Authentication Access,User Activity,INFO,4235,Admin Logout From CLI,CLI administrator logged out + "549": login-failure # 549,Users,Authentication Access,User Activity,WARNING,4236,WLAN Guest Limit,User login failed - Guest service limit reached + "550": session-end # 550,Users,Authentication Access,User Activity,INFO,4237,WLAN Session Timeout,User Session Quota Expired + "551": session-end # 551,Users,Authentication Access,User Activity,INFO,4238,WLAN Account Timeout,Guest Account Timeout + "557": login-failure # 557,Users,Authentication Access,User Activity,INFO,4239,WLAN Guest Already Login,Guest login denied. Guest '%s' is already logged in. Please try again later. + "558": user-account-created # 558,Users,Authentication Access,User Activity,INFO,4240,WLAN Guest Create,Guest account '%s' created + "559": user-account-deleted # 559,Users,Authentication Access,User Activity,INFO,4241,WLAN Guest Delete,Guest account '%s' deleted + "560": user-account-disabled # 560,Users,Authentication Access,User Activity,INFO,4242,WLAN Guest Disable,Guest account '%s' disabled + "561": user-account-enabled # 561,Users,Authentication Access,User Activity,INFO,4243,WLAN Guest Re-enable,Guest account '%s' re-enabled + "562": user-account-deleted # 562,Users,Authentication Access,User Activity,INFO,4244,WLAN Guest Prune,Guest account '%s' pruned + "564": session-end # 564,Users,Authentication Access,User Activity,INFO,4246,WLAN Idle Timeout,Guest Idle Timeout + "583": login-failure # 583,Users,Authentication Access,Attack,ERROR,559,User Login Disable,User login disabled from %s + "728": config-change # 728,Users,Authentication Access,Maintenance,INFO,4248,WLAN Disable By Schedule,WLAN disabled by schedule + "729": config-change # 729,Users,Authentication Access,Maintenance,INFO,4249,WLAN Enabled By Schedule,WLAN enabled by schedule + "759": login-failure # 759,Users,Authentication Access,User Activity,INFO,---,User Already Logged-In,User login denied - user already logged in + "986": login-failure # 986,Users,Authentication Access,User Activity,INFO,4256,Not Allowed by Policy Rule,User login denied - not allowed by Policy rule + "987": login-failure # 987,Users,Authentication Access,User Activity,INFO,4257,Not Found Locally,User login denied - not found locally + "994": session-start # 994,Users,Authentication Access,User Activity,INFO,4258,Configuration Mode Administration Session Started,Configuration mode administration session started + "995": session-end # 995,Users,Authentication Access,User Activity,INFO,4259,Configuration Mode Administration Session Ended,Configuration mode administration session ended + "996": session-start # 996,Users,Authentication Access,User Activity,INFO,4260,Read-only Mode GUI Administration Session Started,Read-only mode GUI administration session started + "997": session-start # 997,Users,Authentication Access,User Activity,INFO,4261,Non-Config Mode GUI Administration Session Started,Non-config mode GUI administration session started + "998": session-end # 998,Users,Authentication Access,User Activity,INFO,4262,GUI Administration Session End,GUI administration session ended + "1008": logout # 1008,Users,Authentication Access,User Activity,INFO,---,Logout Detected by SSO,User logged out - logout detected by SSO + "1035": login-failure # 1035,Users,Authentication Access,User Activity,INFO,---,Password Expire,User login denied - password expired + "1048": login-failure # 1048,Users,Authentication Access,---,INFO,---,Password doesn't meet constraints,User login denied - password doesn't meet constraints + "1080": login-success # 1080,Users,Authentication Access,---,INFO,---,Successful SSL VPN User Login,SSL VPN zone remote user login allowed + "1117": login-failure # 1117,Users,Authentication Access,User Activity,WARNING,---,SSO Probe Failed,User login denied - SSO probe failed + "1118": login-failure # 1118,Users,Authentication Access,User Activity,INFO,---,SMTP Server Not Configured,User login denied - Mail Address(From/to) or SMTP Server is not configured + "1119": login-failure # 1119,Users,Authentication Access,User Activity,INFO,---,RADIUS User Cannot Use One Time Password,RADIUS user cannot use One Time Password - no mail address set for equivalent local user + "1120": login-failure # 1120,Users,Authentication Access,User Activity,WARNING,---,TSA Timeout,User login denied - Terminal Services agent Timeout + "1121": login-failure # 1121,Users,Authentication Access,User Activity,WARNING,---,TSA Name Resolution Failed,User login denied - Terminal Services agent name resolution failed + "1122": login-failure # 1122,Users,Authentication Access,User Activity,WARNING,---,No Name Received from TSA,User login denied - No name received from Terminal Services agent + "1123": login-failure # 1123,Users,Authentication Access,User Activity,WARNING,---,TSA Communicatio n Problem,User login denied - Terminal Services agent communication problem + "1124": logout # 1124,Users,Authentication Access,User Activity,INFO,---,TSA User logout,User logged out - logout reported by Terminal Services agent + "1157": user-account-disabled # 1157,Users,Authentication Access,User Activity,INFO,---,User Account Expired,User account '%s' expired and disabled + "1158": user-account-deleted # 1158,Users,Authentication Access,User Activity,INFO,---,User Account Pruned,User account '%s' expired and pruned + "1243": login-failure # 1243,Users,Authentication Access,User Activity,INFO,---,Sending OTP Failed,User login Failed - An error has occurred while sending your one-time password + "1333": user-account-created # 1333,Users,Authentication Access,User Activity,INFO,---,Create a User,%s + "1334": user-account-changed # 1334,Users,Authentication Access,User Activity,INFO,---,Edit a User,%s + "1335": user-account-deleted # 1335,Users,Authentication Access,User Activity,INFO,---,Delete a User,%s + "1341": user-account-changed # 1341,Users,Authentication Access,User Activity,INFO,---,Edit Customize Login Pages,%s + "1342": user-account-changed # 1342,Users,Authentication Access,User Activity,INFO,---,Edit user lockout params,Update administrator/user lockout params - %s + "1517": login-failure # 1517,Users,Authentication Access,User Activity,INFO,---,User Name Invalid Symbol,User name invalid symbol: %s + "1570": user-account-locked # 1570,Users,Authentication Access,Attack,ERROR,---,User Account Lockout,%s. + "1571": user-account-unlocked # 1571,Users,Authentication Access,Attack,ERROR,---,User Account Unlocked,User %s account is unlocked. + "1572": login-failure # 1572,Users,Authentication Access,Attack,ERROR,---,User is currently locked out,User login failed because the user is currently locked out. + "1585": login-failure # 1585,Users,Authentication Access,User Activity,INFO,---,User Login Denied,User login denied -%s + "1627": user-account-disabled # 1627,Users,Authentication Access,User Activity,INFO,---,User Account Expired due to inactivity,User account '%s' expired and disabled due to inactivity + "1655": login-failure # 1655,Users,Authentication Access,Attack,ERROR,---,User is now locked out,"User login failed, user is now locked out." + "1672": login-failure # 1672,Users,Authentication Access,User Activity,WARNING,---,CLI Limit Admin Denied From WAN,CLI limit administrator login denied from WAN + + # Radius Authentication + "243": login-failure # 243,Users,Radius Authentication,User Activity,INFO,8201,User Login Failed,User login denied - RADIUS authentication failure + "244": login-failure # 244,Users,Radius Authentication,User Activity,WARNING,8202,User Login Timeout,User login denied - RADIUS server Timeout + "245": login-failure # 245,Users,Radius Authentication,User Activity,WARNING,8203,User Login Error,User login denied - RADIUS configuration error + "744": login-failure # 744,Users,Radius Authentication,User Activity,WARNING,8205,RADIUS Communicatio n Problem,User login denied - RADIUS communication problem + "745": login-failure # 745,Users,Radius Authentication,User Activity,INFO,8206,LDAP Authentication Failure,User login denied - LDAP authentication failure + "746": login-failure # 746,Users,Radius Authentication,User Activity,WARNING,8207,LDAP Server Timeout,User login denied - LDAP server Timeout + "747": login-failure # 747,Users,Radius Authentication,User Activity,WARNING,8208,LDAP Server Error,User login denied - LDAP server down or misconfigured + "748": login-failure # 748,Users,Radius Authentication,User Activity,WARNING,8209,LDAP Communicatio n Problem,User login denied - LDAP communication problem + "749": login-failure # 749,Users,Radius Authentication,User Activity,WARNING,8210,LDAP Server Invalid Credential,User login denied - invalid credentials on LDAP server + "750": login-failure # 750,Users,Radius Authentication,User Activity,WARNING,8211,LDAP Server Insufficient Access,User login denied - insufficient access on LDAP server + "751": login-failure # 751,Users,Radius Authentication,User Activity,WARNING,8212,LDAP Schema Mismatch,User login denied - LDAP schema mismatch + "753": login-failure # 753,Users,Radius Authentication,User Activity,WARNING,8214,LDAP Server Name Resolution Failed,User login denied - LDAP server name resolution failed + "754": login-failure # 754,Users,Radius Authentication,User Activity,WARNING,8215,RADIUS Server Name Resolution Failed,User login denied - RADIUS server name resolution failed + "755": login-failure # 755,Users,Radius Authentication,User Activity,WARNING,8216,LDAP Server Certificate Invalid,User login denied - LDAP server certificate not valid + "756": login-failure # 756,Users,Radius Authentication,User Activity,WARNING,8217,LDAP TLS or Local Error,User login denied - TLS or local certificate problem + "757": login-failure # 757,Users,Radius Authentication,User Activity,WARNING,8218,LDAP Directory Mismatch,User login denied - LDAP directory mismatch + "1011": user-account-change-failure # 1011,Users,Radius Authentication,System Error,WARNING,4265,Non-Administr ative Attempt to Change Password,LDAP using non-administrative account - VPN client user will not be able to change passwords + + # SSO Agent Authentication + "988": login-failure # 988,Users,SSO Agent Authentication,User Activity,WARNING,12601,Timeout,User login denied - SSO agent Timeout + "989": login-failure # 989,Users,SSO Agent Authentication,User Activity,WARNING,12602,Configuration Error,User login denied - SSO agent configuration error + "990": login-failure # 990,Users,SSO Agent Authentication,User Activity,WARNING,12603,Communicatio n Problem,User login denied - SSO agent communication problem + "991": login-failure # 991,Users,SSO Agent Authentication,User Activity,WARNING,12604,Name Resolution Failed,User login denied - SSO agent name resolution failed + + # Anti-Spyware + "794": malware-info # 794,Security Services,Anti-Spyware,Attack,ALERT,6437,Anti-Spyware Prevention Alert,Anti-Spyware Prevention Alert: %s + "795": malware-info # 795,Security Services,Anti-Spyware,Attack,ALERT,6438,Anti-Spyware Detection Alert,Anti-Spyware Detection Alert: %s + "796": malware-info # 796,Security Services,Anti-Spyware,Maintenance,WARNING,8631,Anti-Spyware Service Expired,Anti-Spyware Service Expired + + # Anti-Virus + "123": malware-info # 123,Security Services,Anti-Virus,Maintenance,INFO,8605,AV Access Without Agent,Access attempt from host without Anti-Virus agent installed + "124": malware-info # 124,Security Services,Anti-Virus,Maintenance,INFO,8606,AV Agent Out of Date,Anti-Virus agent out-of-date on host + "125": malware-info # 125,Security Services,Anti-Virus,Maintenance,WARNING,524,AV Alert Receive,Received AV Alert: %s + "159": malware-info # 159,Security Services,Anti-Virus,Maintenance,WARNING,526,AV Expire message,Received AV Alert: Your Network Anti-Virus subscription has expired. %s + "408": malware-info # 408,Security Services,Anti-Virus,Maintenance,INFO,8617,AV License Exceeded,Anti-Virus Licenses Exceeded + "482": malware-info # 482,Security Services,Anti-Virus,Maintenance,WARNING,552,AV Expiration Warning,Received AV Alert: Your Network Anti-Virus subscription will expire in 7 days. %s + + # Next-Gen Anti-Virus + "1559": malware-info # 1559,Security Services,Next-Gen Anti-Virus,Maintenance,INFO,---,Next-Gen AV Access Without Agent,Access attempt from host without Next-Gen Anti-Virus agent installed + "1560": malware-info # 1560,Security Services,Next-Gen Anti-Virus,Maintenance,INFO,---,Next-Gen AV Agent Out of Date,Next-Gen Anti-Virus agent out-of-date on host + "1561": malware-info # 1561,Security Services,Next-Gen Anti-Virus,Maintenance,WARNING,---,Next-Gen AV Expire message,Received Next-Gen AV Alert: Your Network Next-Gen Anti-Virus subscription has expired. %s + "1562": malware-info # 1562,Security Services,Next-Gen Anti-Virus,Maintenance,WARNING,---,Next-Gen AV Expiration Warning,Received Next-Gen AV Alert: Your Network Next-Gen Anti-Virus subscription will expire in 7 days. %s + + # Application Control + "1154": malware-info # 1154,Security Services,Application Control,---,ALERT,15001,Application Control Detection Alert,Application Control Detection Alert: %s + "1155": malware-info # 1155,Security Services,Application Control,---,ALERT,15002,Application Control Prevention Alert,Application Control Prevention Alert: %s + + # Application Firewall + "793": malware-info # 793,Firewall,Application Firewall,User Activity,ALERT,13201,Application Firewall Alert,Application Firewall Alert: %s + "1654": malware-info # 1654,Firewall,Application Firewall,User Activity,DEBUG,---,Custom Match Applied,Custom Match applied %s + + # Access Rules + "440": config-add # 440,Firewall,Access Rules,User Activity,INFO,5801,Rule Added,Access rule added + "441": config-change # 441,Firewall,Access Rules,User Activity,INFO,5802,Rule Modified,Access rule viewed or modified + "442": config-delete # 442,Firewall,Access Rules,User Activity,INFO,5803,Rule Deleted,Access rule deleted + + # Administration + "340": config-change # 340,System,Administration,Maintenance,INFO,5212,HTTP Port Change,HTTP management port has changed + "341": config-change # 341,System,Administration,Maintenance,INFO,5213,HTTPS Port Change,HTTPS management port has changed + + # Advanced + "1590": config-info # 1590,Firewall Settings,Advanced,Debug,INFO,---,Internal VLAN Configuration,%s + + # Botnet Filter + "1195": attack-detected # 1195,Security Services,Botnet Filter,---,WARNING,---,Botnet Filter Subscription Expired,Received Alert: Your Firewall Botnet Filter subscription has expired. + "1200": attack-blocked # 1200,Security Services,Botnet Filter,---,ALERT,---,Botnet Initiator Blocked,Suspected Botnet initiator blocked: %s + "1201": attack-blocked # 1201,Security Services,Botnet Filter,---,ALERT,---,Botnet Responder Blocked,Suspected Botnet responder blocked: %s + "1476": attack-blocked # 1476,Security Services,Botnet Filter,---,ALERT,---,Custom Botnet Initiator Blocked,"Suspected Botnet initiator blocked: %s, Source: Custom List" + "1477": attack-blocked # 1477,Security Services,Botnet Filter,---,ALERT,---,Custom Botnet Responder Blocked,"Suspected Botnet responder blocked: %s, Source: Custom List" + "1518": attack-blocked # 1518,Security Services,Botnet Filter,---,ALERT,---,Botnet Initiator Blocked By Dynamic List,"Suspected Botnet initiator blocked: %s, Source: Dynamic List" + "1519": attack-blocked # 1519,Security Services,Botnet Filter,---,ALERT,---,Botnet Responder Blocked By Dynamic List,"Suspected Botnet responder blocked: %s, Source: Dynamic List" + + # Cloud Backup + "1511": internal-log-success # 1511,System,Cloud Backup,---,INFO,---,Automatic Cloud Backup Successful,%s + "1512": internal-log-failure # 1512,System,Cloud Backup,---,INFO,---,Automatic Cloud Backup Failed,%s + "1513": internal-log-success # 1513,System,Cloud Backup,---,INFO,---,Manual Cloud Backup Successful,%s + "1514": internal-log-failure # 1514,System,Cloud Backup,---,INFO,---,Manual Cloud Backup Failed,%s + "1515": internal-log-success # 1515,System,Cloud Backup,---,INFO,---,Delete Cloud Backup Successful,%s + "1516": internal-log-failure # 1516,System,Cloud Backup,---,INFO,---,Delete Cloud Backup Failed,%s + + # Restart + "93": internal-log-failure # 93,System,Restart,System Error,ERROR,611,Suspend Reboot,Diagnostic Code A + "94": internal-log-failure # 94,System,Restart,System Error,ERROR,612,Deadlock Reboot,Diagnostic Code B + "95": internal-log-failure # 95,System,Restart,System Error,ERROR,613,Low Memory Reboot,Diagnostic Code C + "164": internal-log-failure # 164,System,Restart,System Error,ERROR,621,HTTP Server Reboot,Diagnostic Code F + "599": internal-log-failure # 599,System,Restart,System Error,ERROR,655,Stack Margin Reboot,Diagnostic Code G + "600": internal-log-failure # 600,System,Restart,System Error,ERROR,656,Delete Reboot,Diagnostic Code H + "601": internal-log-failure # 601,System,Restart,System Error,ERROR,657,Delete Stack Reboot,Diagnostic Code I + "1046": internal-log-success # 1046,System,Restart,---,INFO,---,Diagnostic Auto-Restart Canceled,Diagnostic Auto-restart canceled + "1047": internal-log-success # 1047,System,Restart,---,INFO,---,Diagnostic Auto-Restart,"As per Diagnostic Auto-restart configuration Request, restarting system" + "1392": internal-log-success # 1392,System,Restart,Maintenance,ALERT,5243,SonicOS up,SonicOS up:%s + "1393": internal-log-success # 1393,System,Restart,Maintenance,ALERT,5244,SonicOS down,SonicOS down:%s + + # Settings + "573": internal-log-failure # 573,System,Settings,System Error,WARNING,649,Preferences Too Big,The preferences file is too large to be saved in available flash memory + "574": internal-log-failure # 574,System,Settings,System Error,WARNING,650,Preferences Defaulted,All preference values have been set to factory default values + "1049": internal-log-success # 1049,System,Settings,---,INFO,---,System Setting Imported,System Setting Imported + "1065": internal-log-success # 1065,System,Settings,Maintenance,INFO,---,Remote Backup Succeeded,Successfully sent %s file to remote backup server + "1066": internal-log-failure # 1066,System,Settings,Maintenance,ALERT,---,Remote Backup Failed,"Failed to send file to remote backup server, Error: %s" + "1160": internal-log-failure # 1160,System,Settings,Maintenance,DEBUG,---,Failed to Ping Remote Backup Server,Attempt to contact Remote backup server for upload approval failed + "1161": internal-log-failure # 1161,System,Settings,Maintenance,DEBUG,---,Failed to Upload Remote Backup Server,Backup remote server did not approve upload Request + "1268": internal-log-failure # 1268,System,Settings,---,NOTICE,---,Firmware Update Failed,Firmware Update Failed + "1269": config-change # 1269,System,Settings,---,NOTICE,---,Firmware Update Succeeded,Firmware Update Succeeded %s + "1336": config-change # 1336,System,Settings,---,INFO,---,Change Certification,Certification %s + "1337": user-account-changed # 1337,System,Settings,---,INFO,---,User Password Changed by Administrators,%s + "1338": user-account-changed # 1338,System,Settings,---,INFO,---,User Change Password,User %s password is changed + "1339": config-change # 1339,System,Settings,---,INFO,---,Change Password Rule,Password rule %s is changed + "1340": config-change # 1340,System,Settings,---,INFO,---,Change User Inactive time out,User Inactive timeout is changed to %s + "1432": config-change # 1432,System,Settings,---,INFO,---,Configuration Change,Configuration changed: %s + "1494": internal-log-success # 1494,System,Settings,---,INFO,---,System Setting Exported,System Setting Exported + "1520": internal-log-success # 1520,System,Settings,Maintenance,INFO,---,E-mail SFR Success,Successfully sent SFR file by E-mail + "1521": internal-log-failure # 1521,System,Settings,Maintenance,INFO,---,E-mail SFR Failed,"Failed to send SFR file by E-mail, %s" + "1565": internal-log-success # 1565,System,Settings,Maintenance,INFO,---,FTP Transfer Success,Successfully sent Flow Report file by FTP + "1566": internal-log-failure # 1566,System,Settings,Maintenance,INFO,---,FTP Transfer Failed,"Failed to send Flow Report file by FTP, %s" + "1567": internal-log-success # 1567,System,Settings,Maintenance,INFO,---,E-mail Transfer Success,Successfully sent Flow Report file by E-mail + "1568": internal-log-failure # 1568,System,Settings,Maintenance,INFO,---,E-mail Transfer Failed,"Failed to send Flow Report file by E-mail, %s" + "1636": internal-log-failure # 1636,System,Settings,---,INFO,---,Port Unreachable Received,Port Unreachable received from remote sender + "1637": internal-log-failure # 1637,System,Settings,---,INFO,---,Port Unreachable Ignored,Port Unreachable from remote sender ignored + + # Cluster + "1149": internal-log-failure # 1149,High Availability,Cluster,---,WARNING,---,VRRP Expiration Message,Your Active/Active Clustering subscription has expired. + "1152": internal-log-failure # 1152,High Availability,Cluster,---,ERROR,---,VRRP Cluster No license,Active/Active Clustering license is not activated on the following cluster units: %s + + # Status + "4": internal-log-success # 4,System,Status,Maintenance,ALERT,5201,Activate Firewall,Network Security Appliance activated + "53": internal-log-failure # 53,System,Status,System Error,ERROR,607,Connection Cache Full,The cache is full; %s open connections; some will be dropped + "521": internal-log-success # 521,System,Status,Maintenance,INFO,5218,Initializing,Network Security Appliance initializing + "1107": internal-log-failure # 1107,System,Status,System Error,ALERT,---,System Alert,%s + "1196": internal-log-failure # 1196,System,Status,Maintenance,ALERT,---,Firewall Limit Reached,Product maximum entries reached - %s + "1332": config-change # 1332,System,Status,Maintenance,ALERT,---,NDPP Mode Change,NDPP mode is changed to %s + "1495": internal-log-success # 1495,System,Status,Maintenance,INFO,---,Firewall was Rebooted by Setting Import,Firewall was rebooted by setting import at %s + "1496": internal-log-success # 1496,System,Status,Maintenance,INFO,---,Firewall was Rebooted by Firmware,Firewall was rebooted by %s + + # Configuration Auditing + "1382": config-change # 1382,Log,Configuration Auditing,User Activity,INFO,5609,Configuration Change Succeeded,Configuration succeeded: %s + "1383": config-change-failure # 1383,Log,Configuration Auditing,User Activity,INFO,5610,Configuration Change Failed,Configuration failed: %s + "1674": config-change # 1674,Log,Configuration Auditing,User Activity,INFO,---,Chassis settings change,Chassis: %s + + # Interfaces + "58": connection-denied # 58,Network,Interfaces,System Error,ERROR,608,Too Many IP on LAN,License exceeded: Connection dropped because too many IP addresses are in use on your LAN + + # SSL Control + "999": connection-info # 999,Firewall Settings,SSL Control,Blocked Sites,INFO,7247,Website Found in Blacklist,SSL Control: Website found in blacklist + "1001": connection-info # 1001,Firewall Settings,SSL Control,Blocked Sites,INFO,---,Weak SSL Version,SSL Control: Weak SSL Version being used + "1002": connection-info # 1002,Firewall Settings,SSL Control,Blocked Sites,INFO,7250,Certificate With Invalid Date,SSL Control: Certificate with invalid date + "1003": connection-info # 1003,Firewall Settings,SSL Control,Blocked Sites,INFO,7251,Self-Signed Certificate,SSL Control: Self-signed certificate + "1004": connection-info # 1004,Firewall Settings,SSL Control,Blocked Sites,INFO,7252,Weak Cipher Being Used,SSL Control: Weak cipher being used + "1005": connection-info # 1005,Firewall Settings,SSL Control,Blocked Sites,INFO,7253,Untrusted CA,SSL Control: Untrusted CA + "1006": connection-info # 1006,Firewall Settings,SSL Control,Blocked Sites,INFO,7254,Certificate Chain Incomplete,SSL Control: Certificate chain not complete + "1081": connection-info # 1081,Firewall Settings,SSL Control,Blocked Sites,INFO,---,Certificate Blocked Weak Digest,SSL Control: Certificate with Weak Digest Signature Algorithm + + on_failure: + - append: + field: error.message + value: 'internal ECS categorization error: {{{ _ingest.on_failure_message }}}' + source: | + def clone(def val) { + return val instanceof List? new ArrayList(val) : val; + } + def evtype = params.message_codes[ctx.event?.code]; + if (evtype == null) return; + def actions = params.event_types[evtype]; + if (actions == null) { + throw new Exception("message code " + ctx.event.code + " references missing event type " + evtype); + } + def event = ctx.computeIfAbsent('event', k -> new HashMap()); + for (def entry : actions.entrySet()) { + event[entry.getKey()] = clone(entry.getValue()); + } + event["action"] = evtype; + +# +# Builds url fields +# url = proto + :// + dstname + arg +# +# This requires `arg` field being present (url.path) +# as dstname can have a different meaning (email attachments) +# but arg is always used in the context of an HTTP transaction +# + - set: + field: url.scheme + value: '{{{ network.protocol }}}' + ignore_empty_value: true + if: 'ctx.url?.path != null' + + - rename: + field: url.domain + target_field: sonicwall.firewall.dstname + ignore_missing: true + if: 'ctx.url?.path == null' + + - set: + field: url.full + value: '{{{ url.scheme }}}://{{{ url.domain }}}{{{ url.path }}}' + if: 'ctx.url?.scheme != null && ctx.url?.domain != null' + + - set: + field: url.full + value: '//{{{ url.domain }}}{{{ url.path }}}' + if: 'ctx.url?.scheme == null && ctx.url?.domain != null' + +# +# Related fields +# + - append: + field: related.ip + value: "{{{ source.ip }}}" + allow_duplicates: false + if: 'ctx.source?.ip != null' + - append: + field: related.ip + value: "{{{ source.nat.ip }}}" + allow_duplicates: false + if: 'ctx.source?.nat?.ip != null' + - append: + field: related.ip + value: "{{{ destination.ip }}}" + allow_duplicates: false + if: 'ctx.destination?.ip != null' + - append: + field: related.ip + value: "{{{ destination.nat.ip }}}" + allow_duplicates: false + if: 'ctx.destination?.nat?.ip != null' + - append: + field: related.ip + value: "{{{ observer.ip }}}" + allow_duplicates: false + if: 'ctx.observer?.ip != null' + - append: + field: related.user + value: "{{{ user.name }}}" + allow_duplicates: false + if: 'ctx.user?.name != null' +# +# Cleanup +# + - remove: + field: + - _conf + - _temp_ + - sonicwall.firewall.srcV6 + - sonicwall.firewall.dstV6 + - sonicwall.firewall.note + - sonicwall.firewall.c + ignore_failure: true + ignore_missing: true + + - remove: + field: sonicwall + if: 'ctx.sonicwall?.firewall?.size() == 0' + + - remove: + field: event.original + if: "ctx?.tags == null || !ctx.tags.contains('preserve_original_event')" + ignore_failure: true + ignore_missing: true + +on_failure: + - set: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/sonicwall_firewall/data_stream/log/fields/base-fields.yml b/packages/sonicwall_firewall/data_stream/log/fields/base-fields.yml new file mode 100644 index 00000000000..016fb3dd862 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: sonicwall_firewall +- name: event.dataset + type: constant_keyword + description: Event dataset + value: sonicwall_firewall.log diff --git a/packages/sonicwall_firewall/data_stream/log/fields/beats.yml b/packages/sonicwall_firewall/data_stream/log/fields/beats.yml new file mode 100644 index 00000000000..9275638f93a --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/fields/beats.yml @@ -0,0 +1,15 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/sonicwall_firewall/data_stream/log/fields/ecs.yml b/packages/sonicwall_firewall/data_stream/log/fields/ecs.yml new file mode 100644 index 00000000000..b7bb0c9773e --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/fields/ecs.yml @@ -0,0 +1,124 @@ +- name: destination.address + external: ecs +- name: destination.bytes + external: ecs +- name: destination.domain + external: ecs +- name: destination.geo.city_name + external: ecs +- name: destination.geo.continent_name + external: ecs +- name: destination.geo.country_iso_code + external: ecs +- name: destination.geo.country_name + external: ecs +- name: destination.geo.location + external: ecs +- name: destination.geo.region_iso_code + external: ecs +- name: destination.geo.region_name + external: ecs +- name: destination.ip + external: ecs +- name: destination.mac + external: ecs +- name: destination.nat.ip + external: ecs +- name: destination.nat.port + external: ecs +- name: destination.packets + external: ecs +- name: destination.port + external: ecs +- name: ecs.version + external: ecs +- name: http.request.method + external: ecs +- name: log.level + external: ecs +- name: message + external: ecs +- name: network.bytes + external: ecs +- name: network.packets + external: ecs +- name: network.protocol + external: ecs +- name: network.transport + external: ecs +- name: observer.egress.interface.name + external: ecs +- name: observer.egress.zone + external: ecs +- name: observer.ingress.interface.name + external: ecs +- name: observer.ingress.zone + external: ecs +- name: observer.hostname + external: ecs +- name: observer.ip + external: ecs +- name: observer.name + external: ecs +- name: observer.product + external: ecs +- name: observer.serial_number + external: ecs +- name: observer.type + external: ecs +- name: observer.vendor + external: ecs +- name: related.ip + external: ecs +- name: related.user + external: ecs +- name: rule.id + external: ecs +- name: rule.name + external: ecs +- name: source.address + external: ecs +- name: source.bytes + external: ecs +- name: source.domain + external: ecs +- name: source.geo.city_name + external: ecs +- name: source.geo.continent_name + external: ecs +- name: source.geo.country_iso_code + external: ecs +- name: source.geo.country_name + external: ecs +- name: source.geo.location + external: ecs +- name: source.geo.region_iso_code + external: ecs +- name: source.geo.region_name + external: ecs +- name: source.ip + external: ecs +- name: source.mac + external: ecs +- name: source.nat.ip + external: ecs +- name: source.nat.port + external: ecs +- name: source.packets + external: ecs +- name: source.port + external: ecs +- name: tags + external: ecs +- name: url.domain + external: ecs +- name: url.full + external: ecs +- name: url.original + external: ecs +- name: url.path + external: ecs +- name: url.scheme + external: ecs +- name: user.name + external: ecs diff --git a/packages/sonicwall_firewall/data_stream/log/fields/package-fields.yml b/packages/sonicwall_firewall/data_stream/log/fields/package-fields.yml new file mode 100644 index 00000000000..9bf93ea54c1 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/fields/package-fields.yml @@ -0,0 +1,66 @@ +- name: sonicwall.firewall + type: group + description: Vendor fields from SonicWall firewall logs + fields: + - name: Category + type: keyword + description: Category of CFS blocked content. + - name: af_polid + type: keyword + description: Displays the Application Filter Policy ID. + - name: app + type: keyword + description: Numeric application ID. + - name: appName + type: keyword + description: Non-Signature Application Name. + - name: appcat + type: keyword + description: Application control category. + - name: appid + type: keyword + description: Application ID. + - name: auditId + type: keyword + - name: code + type: keyword + description: CFS blocking code. + - name: dpi + type: boolean + description: Indicates wether a flow underwent Deep Packet Inspection. + - name: event_group_category + type: keyword + description: Event group category. + - name: gcat + type: keyword + description: Event group category (numeric identifier). + - name: ipscat + type: keyword + description: IPS category. + - name: ipspri + type: keyword + description: IPS priority. + - name: oldValue + type: keyword + - name: sess + type: keyword + description: User session type. + - name: sid + type: keyword + description: IPS or Anti-Spyware signature ID. + - name: tranxId + type: keyword + - name: type + type: keyword + description: ICMP type. + - name: userMode + type: keyword + - name: uuid + type: keyword + description: Object UUID. + - name: vpnpolicy + type: keyword + description: source VPN policy name. + - name: vpnpolicyDst + type: keyword + description: destination VPN policy name. diff --git a/packages/sonicwall_firewall/data_stream/log/manifest.yml b/packages/sonicwall_firewall/data_stream/log/manifest.yml new file mode 100644 index 00000000000..dc297483321 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/manifest.yml @@ -0,0 +1,40 @@ +title: "SonicWall Firewall logs" +type: logs +streams: + - input: udp + template_path: udp.yml.hbs + title: Syslog logs + description: Collect logs via syslog + vars: + - name: syslog_host + type: text + title: Listen address + description: | + Address where the agent will accept syslog messages. + Use 0.0.0.0 to receive syslog on all interfaces. + multi: false + required: true + show_user: true + default: 0.0.0.0 + - name: syslog_port + type: integer + title: Listen Port + description: UDP Port where the Agent will receive syslog messages. + multi: false + required: true + show_user: true + default: 9514 + - input: logfile + enabled: false + template_path: logfile.yml.hbs + title: Log files + description: Collect logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/sonicwall-firewall.log diff --git a/packages/sonicwall_firewall/data_stream/log/sample_event.json b/packages/sonicwall_firewall/data_stream/log/sample_event.json new file mode 100644 index 00000000000..eba948c3f47 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/sample_event.json @@ -0,0 +1,127 @@ +{ + "@timestamp": "2022-05-16T08:18:39.000+02:00", + "agent": { + "ephemeral_id": "6cc3228b-d89c-4104-b750-d9cb44ed5513", + "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "sonicwall_firewall.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64889 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "713", + "dataset": "sonicwall_firewall.log", + "ingested": "2022-05-23T13:47:58Z", + "kind": "event", + "outcome": "success", + "sequence": "692", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "level": "debug", + "source": { + "address": "172.24.0.4:47831" + } + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "sonicwall-firewall", + "forwarded" + ], + "user": { + "name": "admin" + } +} \ No newline at end of file diff --git a/packages/sonicwall_firewall/docs/README.md b/packages/sonicwall_firewall/docs/README.md new file mode 100644 index 00000000000..9d152b95bb8 --- /dev/null +++ b/packages/sonicwall_firewall/docs/README.md @@ -0,0 +1,311 @@ +# SonicWall Firewall Integration + +This integration collects syslog messages from SonicWall firewalls. It has been tested with Enhanced +Syslog logs from SonicOS 6.5 and 7.0 as described in the [Log Events reference guide.](https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-4-log-events-reference-guide.pdf) + +## Configuration + +Configure a Syslog Server in your firewall using the following options: + - **Name or IP Address:** The address where your Elastic Agent running this integration is reachable. + - **Port:** The Syslog port (UDP) configured in this integration. + - **Server Type:** Syslog Server. + - **Syslog Format:** Enhanced Syslog. + - **Syslog ID:** Change this default (`firewall`) if you need to differentiate between multiple firewalls. + This value will be stored in the `observer.name` field. + +It's recommended to enable the **Display UTC in logs (instead of local time)** setting under the +_Device > Settings > Time_ configuration menu. Otherwise you'll have to configure the **Timezone Offset** +setting of this integration to match the timezone configured in your firewall. + +Ensure proper connectivity between your firewall and Elastic Agent. + +## Supported messages + +This integration features generic support for enhanced syslog messages produced by SonicOS and features +more detailed ECS enrichment for the following messages: + +| Category | Subcategory | Message IDs | +|----------|-------------|-------------| +| Firewall | Access Rules | 440-442, 646, 647, 734, 735 | +| Firewall | Application Firewall | 793, 1654 | +| Firewall Settings | Advanced | 428, 1473, 1573, 1576, 1590 | +| Firewall Settings | Checksum Enforcement | 883-886, 1448, 1449 | +| Firewall Settings | FTP | 446, 527, 528, 538 | +| Firewall Settings | Flood Protection | 25, 856-860, 862-864, 897, 898, 901, 904, 905, 1180, 1213, 1214, 1366, 1369, 1450-1452 | +| Firewall Settings | Multicast | 683, 690, 694, 1233 | +| Firewall Settings | SSL Control | 999, 1001-1006, 1081 | +| High Availability | Cluster | 1149, 1152 | +| Log | Configuration Auditing | 1382, 1383, 1674 | +| Network | ARP | 45, 815, 1316 | +| Network | DNS | 1098, 1099 | +| Network | DNS Security | 1593 | +| Network | ICMP | 38, 63, 175, 182, 188, 523, 597, 598, 1254-1257, 1431, 1433, 1458 | +| Network | IP | 28, 522, 910, 1301-1303, 1429, 1430 | +| Network | IPcomp | 651-653 | +| Network | IPv6 Tunneling | 1253 | +| Network | Interfaces | 58 | +| Network | NAT | 339, 1197, 1436 | +| Network | NAT Policy | 1313-1315 | +| Network | Network Access | 41, 46, 98, 347, 524, 537, 590, 714, 1304 | +| Network | TCP | 36, 48, 173, 181, 580, 708, 709, 712, 713, 760, 887-896, 1029-1031, 1384, 1385, 1628, 1629 | +| Security Services | Anti-Spyware | 794-796 | +| Security Services | Anti-Virus | 123-125, 159, 408, 482 | +| Security Services | Application Control | 1154, 1155 | +| Security Services | Attacks | 22, 23, 27, 81-83, 177-179, 267, 606, 1373-1376, 1387, 1471 | +| Security Services | Botnet Filter | 1195, 1200, 1201, 1476, 1477, 1518, 1519 | +| Security Services | Content Filter | 14, 16, 1599-1601 | +| Security Services | Geo-IP Filter | 1198, 1199, 1474, 1475 | +| Security Services | IDP | 789, 790 | +| Security Services | IPS | 608, 609 | +| Security Services | Next-Gen Anti-Virus | 1559-1562 | +| Security Services | RBL Filter | 797, 798 | +| System | Administration | 340, 341 | +| System | Cloud Backup | 1511-1516 | +| System | Restart | 93-95, 164, 599-601, 1046, 1047, 1392, 1393 | +| System | Settings | 573, 574, 1049, 1065, 1066, 1160, 1161, 1268, 1269, 1336-1340, 1432, 1494, 1520, 1521, 1565-1568, 1636, 1637 | +| System | Status | 4, 53, 521, 1107, 1196, 1332, 1495, 1496 | +| Users | Authentication Access | 24, 29-35, 199, 200, 235-238, 246, 261-265, 328, 329, 438, 439, 486, 506-509, 520, 549-551, 557-562, 564, 583, 728, 729, 759, 986, 987, 994-998, 1008, 1035, 1048, 1080, 1117-1124, 1157, 1158, 1243, 1333-1335, 1341, 1342, 1517, 1570-1572, 1585, 1627, 1655, 1672 | +| Users | Radius Authentication | 243-245, 744-751, 753-757, 1011 | +| Users | SSO Agent Authentication | 988-991 | +| VPN | DHCP Relay | 229 | +| Wireless | RF Monitoring | 879 | +| Wireless | WLAN | 1363 | +| Wireless | WLAN IDS | 546, 548 | + +## Logs + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-05-16T08:18:39.000+02:00", + "agent": { + "ephemeral_id": "6cc3228b-d89c-4104-b750-d9cb44ed5513", + "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "sonicwall_firewall.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "mac": "00-17-C5-30-F9-D9", + "port": 64889 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "connection-denied", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "713", + "dataset": "sonicwall_firewall.log", + "ingested": "2022-05-23T13:47:58Z", + "kind": "event", + "outcome": "success", + "sequence": "692", + "severity": "7", + "timezone": "+02:00", + "type": [ + "connection", + "denied" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "level": "debug", + "source": { + "address": "172.24.0.4:47831" + } + }, + "message": "� (TCP Flag(s): RST)", + "network": { + "bytes": 46, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "rule": { + "id": "15 (WAN-\u003eWAN)" + }, + "sonicwall": { + "firewall": { + "app": "12", + "event_group_category": "Firewall Settings", + "gcat": "6", + "sess": "Web" + } + }, + "source": { + "bytes": 46, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 443 + }, + "tags": [ + "sonicwall-firewall", + "forwarded" + ], + "user": { + "name": "admin" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| sonicwall.firewall.Category | Category of CFS blocked content. | keyword | +| sonicwall.firewall.af_polid | Displays the Application Filter Policy ID. | keyword | +| sonicwall.firewall.app | Numeric application ID. | keyword | +| sonicwall.firewall.appName | Non-Signature Application Name. | keyword | +| sonicwall.firewall.appcat | Application control category. | keyword | +| sonicwall.firewall.appid | Application ID. | keyword | +| sonicwall.firewall.auditId | | keyword | +| sonicwall.firewall.code | CFS blocking code. | keyword | +| sonicwall.firewall.dpi | Indicates wether a flow underwent Deep Packet Inspection. | boolean | +| sonicwall.firewall.event_group_category | Event group category. | keyword | +| sonicwall.firewall.gcat | Event group category (numeric identifier). | keyword | +| sonicwall.firewall.ipscat | IPS category. | keyword | +| sonicwall.firewall.ipspri | IPS priority. | keyword | +| sonicwall.firewall.oldValue | | keyword | +| sonicwall.firewall.sess | User session type. | keyword | +| sonicwall.firewall.sid | IPS or Anti-Spyware signature ID. | keyword | +| sonicwall.firewall.tranxId | | keyword | +| sonicwall.firewall.type | ICMP type. | keyword | +| sonicwall.firewall.userMode | | keyword | +| sonicwall.firewall.uuid | Object UUID. | keyword | +| sonicwall.firewall.vpnpolicy | source VPN policy name. | keyword | +| sonicwall.firewall.vpnpolicyDst | destination VPN policy name. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/sonicwall_firewall/img/dashboard.png b/packages/sonicwall_firewall/img/dashboard.png new file mode 100644 index 00000000000..7c03fed3adb Binary files /dev/null and b/packages/sonicwall_firewall/img/dashboard.png differ diff --git a/packages/sonicwall_firewall/img/logo.svg b/packages/sonicwall_firewall/img/logo.svg new file mode 100644 index 00000000000..fb1aded68a2 --- /dev/null +++ b/packages/sonicwall_firewall/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/sonicwall_firewall/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json b/packages/sonicwall_firewall/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json new file mode 100644 index 00000000000..47df56dc7e1 --- /dev/null +++ b/packages/sonicwall_firewall/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json @@ -0,0 +1,1447 @@ +{ + "attributes": { + "description": "Dashboard for SonicWall Firewall events", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sonicwall_firewall.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sonicwall_firewall.log" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "controls": [ + { + "fieldName": "observer.name", + "id": "1652981377419", + "indexPatternRefName": "control_13a27ebe-963e-4539-9013-186e247e0b32_0_index_pattern", + "label": "Firewall ID", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": true, + "useTimeFilter": true + }, + "title": "", + "type": "input_control_vis", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "13a27ebe-963e-4539-9013-186e247e0b32", + "w": 13, + "x": 0, + "y": 0 + }, + "panelIndex": "13a27ebe-963e-4539-9013-186e247e0b32", + "title": "Filter by Firewall (Syslog ID)", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d6a337e6-588b-47b6-9414-c621dcf265c9", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d6a337e6-588b-47b6-9414-c621dcf265c9": { + "columnOrder": [ + "412981b2-ba5e-4e78-a96b-c51be9ae8870", + "4e72963e-8fc8-475c-88ad-bafcc38a726b", + "abcd61b9-9bfc-45e6-8c71-3167174a8bcd" + ], + "columns": { + "412981b2-ba5e-4e78-a96b-c51be9ae8870": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of event.code", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "abcd61b9-9bfc-45e6-8c71-3167174a8bcd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.code" + }, + "4e72963e-8fc8-475c-88ad-bafcc38a726b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "abcd61b9-9bfc-45e6-8c71-3167174a8bcd": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "abcd61b9-9bfc-45e6-8c71-3167174a8bcd" + ], + "layerId": "d6a337e6-588b-47b6-9414-c621dcf265c9", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "412981b2-ba5e-4e78-a96b-c51be9ae8870", + "xAccessor": "4e72963e-8fc8-475c-88ad-bafcc38a726b" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5", + "w": 35, + "x": 13, + "y": 0 + }, + "panelIndex": "b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5", + "title": "Event code histogram", + "type": "lens", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2c3a0f47-236c-41cb-86e8-e8a27033d165", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ab93ebb-d843-4bdb-99a2-c55dd1b5c096", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "2c3a0f47-236c-41cb-86e8-e8a27033d165": { + "columnOrder": [ + "ac755b72-5005-416d-8da8-7001a2ba5366", + "b988645c-c513-4755-b369-3f3787e6045d" + ], + "columns": { + "ac755b72-5005-416d-8da8-7001a2ba5366": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of observer.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b988645c-c513-4755-b369-3f3787e6045d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "observer.name" + }, + "b988645c-c513-4755-b369-3f3787e6045d": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "2ab93ebb-d843-4bdb-99a2-c55dd1b5c096", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sonicwall_firewall.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sonicwall_firewall.log" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "ac755b72-5005-416d-8da8-7001a2ba5366" + }, + { + "columnId": "b988645c-c513-4755-b369-3f3787e6045d" + } + ], + "layerId": "2c3a0f47-236c-41cb-86e8-e8a27033d165", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "17735289-cfc4-429a-a5c5-f3d19df013dc", + "w": 13, + "x": 0, + "y": 4 + }, + "panelIndex": "17735289-cfc4-429a-a5c5-f3d19df013dc", + "title": "Event count by firewall", + "type": "lens", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"93ebdd92-cae8-455c-affe-191e18edcb95\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"source.geo.location\",\"requestType\":\"heatmap\",\"resolution\":\"SUPER_FINE\",\"id\":\"7dc5cffe-5449-4411-8838-f1a1076f3592\",\"type\":\"ES_GEO_GRID\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"metrics\":[{\"type\":\"count\"}],\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"d4d78e49-4c8e-4980-9cb9-581d6dc6b826\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"HEATMAP\",\"colorRampName\":\"theclassic\"},\"includeInFitToBounds\":true,\"type\":\"HEATMAP\"}]", + "mapStateJSON": "{\"zoom\":1.88,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15y\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "title": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 66.51326, + "maxLon": 45, + "minLat": 0, + "minLon": -90 + }, + "mapCenter": { + "lat": 46.36347, + "lon": -7.06802, + "zoom": 2.88 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 15, + "i": "a7718a64-7550-405a-8a75-4687c00dadde", + "w": 24, + "x": 0, + "y": 14 + }, + "panelIndex": "a7718a64-7550-405a-8a75-4687c00dadde", + "title": "Network sources heat map", + "type": "map", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"6e0adcd6-6a1b-4fdf-9e81-66ea18ac7577\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"destination.geo.location\",\"requestType\":\"heatmap\",\"resolution\":\"SUPER_FINE\",\"id\":\"bdae40c0-6caf-4ba2-b179-7202f1e2be60\",\"type\":\"ES_GEO_GRID\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"metrics\":[{\"type\":\"count\"}],\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"75e1e0df-43ff-4e14-9df2-4962c751d3bf\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"HEATMAP\",\"colorRampName\":\"theclassic\"},\"includeInFitToBounds\":true,\"type\":\"HEATMAP\"}]", + "mapStateJSON": "{\"zoom\":1.39,\"center\":{\"lon\":-32.42476,\"lat\":25.69542},\"timeFilters\":{\"from\":\"now-15y\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "title": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 40.9799, + "maxLon": 135, + "minLat": 0, + "minLon": 45 + }, + "mapCenter": { + "lat": 23.23703, + "lon": 86.01728, + "zoom": 3.15 + }, + "openTOCDetails": [ + "75e1e0df-43ff-4e14-9df2-4962c751d3bf" + ] + }, + "gridData": { + "h": 15, + "i": "8e619b8c-80b2-46a8-8c9b-4581d3d14da5", + "w": 24, + "x": 24, + "y": 14 + }, + "panelIndex": "8e619b8c-80b2-46a8-8c9b-4581d3d14da5", + "title": "Network destinations heat map", + "type": "map", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3717b68f-f5ab-4598-9f39-4a723d91165c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "80a65bd8-af97-4b14-87dc-c8b2f7e847a8": { + "columnOrder": [ + "4aff95fe-c475-4dbc-a230-22c2005daead", + "a04c7483-85de-470a-a875-3b6336f57228", + "ba0383c2-1472-45fb-a465-9125f7120a32", + "ec6161de-fac2-420d-9b3f-e2d2df2caf68" + ], + "columns": { + "4aff95fe-c475-4dbc-a230-22c2005daead": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of network.transport", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ec6161de-fac2-420d-9b3f-e2d2df2caf68", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "network.transport" + }, + "a04c7483-85de-470a-a875-3b6336f57228": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of network.protocol", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ec6161de-fac2-420d-9b3f-e2d2df2caf68", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + }, + "ba0383c2-1472-45fb-a465-9125f7120a32": { + "dataType": "number", + "isBucketed": true, + "label": "Top 3 values of destination.port", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ec6161de-fac2-420d-9b3f-e2d2df2caf68", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "destination.port" + }, + "ec6161de-fac2-420d-9b3f-e2d2df2caf68": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3717b68f-f5ab-4598-9f39-4a723d91165c", + "key": "event.action", + "negate": false, + "params": { + "query": "connection-start" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "connection-start" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset :\"sonicwall_firewall.log\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "ba0383c2-1472-45fb-a465-9125f7120a32", + "4aff95fe-c475-4dbc-a230-22c2005daead", + "a04c7483-85de-470a-a875-3b6336f57228" + ], + "layerId": "80a65bd8-af97-4b14-87dc-c8b2f7e847a8", + "layerType": "data", + "legendDisplay": "default", + "metric": "ec6161de-fac2-420d-9b3f-e2d2df2caf68", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "palette": { + "name": "positive", + "type": "palette" + }, + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "db14ebf1-c490-427c-bdde-d48da4496d45", + "w": 19, + "x": 0, + "y": 29 + }, + "panelIndex": "db14ebf1-c490-427c-bdde-d48da4496d45", + "title": "Allowed connections by transport/protocol/destination.port", + "type": "lens", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-951e4235-9dec-43ae-b400-bfe367e43e0b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "951e4235-9dec-43ae-b400-bfe367e43e0b": { + "columnOrder": [ + "7200128d-9260-4e3f-a280-5cf5f9c84d33", + "155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4" + ], + "columns": { + "155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "7200128d-9260-4e3f-a280-5cf5f9c84d33": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 5 values of source.ip", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "7200128d-9260-4e3f-a280-5cf5f9c84d33" + }, + { + "columnId": "155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4" + } + ], + "layerId": "951e4235-9dec-43ae-b400-bfe367e43e0b", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "06b11f86-c986-4a30-b1da-1724529bf864", + "w": 15, + "x": 19, + "y": 29 + }, + "panelIndex": "06b11f86-c986-4a30-b1da-1724529bf864", + "type": "lens", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-287c2e25-3cb0-41d5-8bf8-ae1fb696173c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "287c2e25-3cb0-41d5-8bf8-ae1fb696173c": { + "columnOrder": [ + "ae8e1a22-3aff-4ca8-9fcc-566bb87aa283", + "2c8c78cf-034a-4278-9335-66f22dd19e4b" + ], + "columns": { + "2c8c78cf-034a-4278-9335-66f22dd19e4b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ae8e1a22-3aff-4ca8-9fcc-566bb87aa283": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 5 values of destination.ip", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2c8c78cf-034a-4278-9335-66f22dd19e4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset :\"sonicwall_firewall.log\" " + }, + "visualization": { + "columns": [ + { + "columnId": "ae8e1a22-3aff-4ca8-9fcc-566bb87aa283" + }, + { + "columnId": "2c8c78cf-034a-4278-9335-66f22dd19e4b" + } + ], + "layerId": "287c2e25-3cb0-41d5-8bf8-ae1fb696173c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "f6292d23-c9c5-4798-b7bd-ab0630e0e2f0", + "w": 14, + "x": 34, + "y": 29 + }, + "panelIndex": "f6292d23-c9c5-4798-b7bd-ab0630e0e2f0", + "type": "lens", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "845be485-ea9d-4aac-a3bb-5d99702828cb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4ae20da-36fc-4e3b-90fb-1f7ff301b979", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "80a65bd8-af97-4b14-87dc-c8b2f7e847a8": { + "columnOrder": [ + "4aff95fe-c475-4dbc-a230-22c2005daead", + "a04c7483-85de-470a-a875-3b6336f57228", + "ba0383c2-1472-45fb-a465-9125f7120a32", + "ec6161de-fac2-420d-9b3f-e2d2df2caf68" + ], + "columns": { + "4aff95fe-c475-4dbc-a230-22c2005daead": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of network.transport", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ec6161de-fac2-420d-9b3f-e2d2df2caf68", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "network.transport" + }, + "a04c7483-85de-470a-a875-3b6336f57228": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of network.protocol", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ec6161de-fac2-420d-9b3f-e2d2df2caf68", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + }, + "ba0383c2-1472-45fb-a465-9125f7120a32": { + "dataType": "number", + "isBucketed": true, + "label": "Top 3 values of destination.port", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ec6161de-fac2-420d-9b3f-e2d2df2caf68", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "destination.port" + }, + "ec6161de-fac2-420d-9b3f-e2d2df2caf68": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "845be485-ea9d-4aac-a3bb-5d99702828cb", + "key": "event.category", + "negate": false, + "params": [ + "network" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.category": "network" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c4ae20da-36fc-4e3b-90fb-1f7ff301b979", + "key": "event.action", + "negate": false, + "params": { + "query": "connection-denied" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "connection-denied" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset :\"sonicwall_firewall.log\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "ba0383c2-1472-45fb-a465-9125f7120a32", + "4aff95fe-c475-4dbc-a230-22c2005daead", + "a04c7483-85de-470a-a875-3b6336f57228" + ], + "layerId": "80a65bd8-af97-4b14-87dc-c8b2f7e847a8", + "layerType": "data", + "legendDisplay": "default", + "metric": "ec6161de-fac2-420d-9b3f-e2d2df2caf68", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "palette": { + "name": "negative", + "type": "palette" + }, + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b60bc6be-7082-43aa-8e3b-07468984046f", + "w": 19, + "x": 0, + "y": 44 + }, + "panelIndex": "b60bc6be-7082-43aa-8e3b-07468984046f", + "title": "Denied connections by transport/protocol/destination.port", + "type": "lens", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c8843882-29d4-4afd-8c11-eeae1800d40c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a2c0360d-161b-4a36-b16d-0cf33a37314f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8c9a9a40-b2ef-44e0-8afd-8ef613afb85e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d1a641a9-f4d4-459f-9723-b6a25d02680d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c8843882-29d4-4afd-8c11-eeae1800d40c": { + "columnOrder": [ + "708e8def-b004-4b42-ad49-a88b44da0d8f", + "f8fbcadb-7787-4e9b-9120-bf9dbd742beb", + "046b793c-8c99-4656-a163-bac293b4c56c" + ], + "columns": { + "046b793c-8c99-4656-a163-bac293b4c56c": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "708e8def-b004-4b42-ad49-a88b44da0d8f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of user.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "046b793c-8c99-4656-a163-bac293b4c56c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "f8fbcadb-7787-4e9b-9120-bf9dbd742beb": { + "dataType": "string", + "isBucketed": true, + "label": "Top 2 values of event.outcome", + "operationType": "terms", + "params": { + "missingBucket": true, + "orderBy": { + "fallback": false, + "type": "alphabetical" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 2 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "a2c0360d-161b-4a36-b16d-0cf33a37314f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sonicwall_firewall.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sonicwall_firewall.log" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8c9a9a40-b2ef-44e0-8afd-8ef613afb85e", + "key": "event.category", + "negate": false, + "params": { + "query": "authentication" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "authentication" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d1a641a9-f4d4-459f-9723-b6a25d02680d", + "key": "event.type", + "negate": false, + "params": { + "query": "start" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "start" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "046b793c-8c99-4656-a163-bac293b4c56c" + ], + "layerId": "c8843882-29d4-4afd-8c11-eeae1800d40c", + "layerType": "data", + "palette": { + "name": "status", + "type": "palette" + }, + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "f8fbcadb-7787-4e9b-9120-bf9dbd742beb", + "xAccessor": "708e8def-b004-4b42-ad49-a88b44da0d8f" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c46fce93-0b52-4617-b88d-703bc0a2d5e6", + "w": 29, + "x": 19, + "y": 44 + }, + "panelIndex": "c46fce93-0b52-4617-b88d-703bc0a2d5e6", + "title": "Top authentications", + "type": "lens", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "columns": [ + "@timestamp", + "event.action", + "source.ip", + "message" + ], + "enhancements": {}, + "hidePanelTitles": false, + "rowHeight": 0 + }, + "gridData": { + "h": 18, + "i": "ed04883d-ba56-4502-a905-046c874e4a72", + "w": 48, + "x": 0, + "y": 59 + }, + "panelIndex": "ed04883d-ba56-4502-a905-046c874e4a72", + "panelRefName": "panel_ed04883d-ba56-4502-a905-046c874e4a72", + "title": "Attack events", + "type": "search", + "version": "8.2.0" + } + ], + "timeRestore": false, + "title": "[SonicWall Firewall] Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13a27ebe-963e-4539-9013-186e247e0b32:control_13a27ebe-963e-4539-9013-186e247e0b32_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5:indexpattern-datasource-layer-d6a337e6-588b-47b6-9414-c621dcf265c9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:indexpattern-datasource-layer-2c3a0f47-236c-41cb-86e8-e8a27033d165", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:2ab93ebb-d843-4bdb-99a2-c55dd1b5c096", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a7718a64-7550-405a-8a75-4687c00dadde:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8e619b8c-80b2-46a8-8c9b-4581d3d14da5:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db14ebf1-c490-427c-bdde-d48da4496d45:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db14ebf1-c490-427c-bdde-d48da4496d45:indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db14ebf1-c490-427c-bdde-d48da4496d45:3717b68f-f5ab-4598-9f39-4a723d91165c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "06b11f86-c986-4a30-b1da-1724529bf864:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "06b11f86-c986-4a30-b1da-1724529bf864:indexpattern-datasource-layer-951e4235-9dec-43ae-b400-bfe367e43e0b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6292d23-c9c5-4798-b7bd-ab0630e0e2f0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6292d23-c9c5-4798-b7bd-ab0630e0e2f0:indexpattern-datasource-layer-287c2e25-3cb0-41d5-8bf8-ae1fb696173c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b60bc6be-7082-43aa-8e3b-07468984046f:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b60bc6be-7082-43aa-8e3b-07468984046f:indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b60bc6be-7082-43aa-8e3b-07468984046f:845be485-ea9d-4aac-a3bb-5d99702828cb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b60bc6be-7082-43aa-8e3b-07468984046f:c4ae20da-36fc-4e3b-90fb-1f7ff301b979", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:indexpattern-datasource-layer-c8843882-29d4-4afd-8c11-eeae1800d40c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:a2c0360d-161b-4a36-b16d-0cf33a37314f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:8c9a9a40-b2ef-44e0-8afd-8ef613afb85e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:d1a641a9-f4d4-459f-9723-b6a25d02680d", + "type": "index-pattern" + }, + { + "id": "sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde", + "name": "ed04883d-ba56-4502-a905-046c874e4a72:panel_ed04883d-ba56-4502-a905-046c874e4a72", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/sonicwall_firewall/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json b/packages/sonicwall_firewall/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json new file mode 100644 index 00000000000..e9e03d622b5 --- /dev/null +++ b/packages/sonicwall_firewall/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "columns": [ + "event.action", + "source.ip", + "message" + ], + "description": "Saved search for attacks detected and blocked by SonicWall Firewall", + "grid": { + "columns": { + "event.action": { + "width": 134.5 + }, + "source.ip": { + "width": 126.25 + } + } + }, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.action", + "negate": false, + "params": [ + "attack-blocked", + "attack-detected" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.action": "attack-blocked" + } + }, + { + "match_phrase": { + "event.action": "attack-detected" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset :\"sonicwall_firewall.log\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "SonicWall Firewall attacks" + }, + "coreMigrationVersion": "8.2.0", + "id": "sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/sonicwall_firewall/manifest.yml b/packages/sonicwall_firewall/manifest.yml new file mode 100644 index 00000000000..6d8a79c060a --- /dev/null +++ b/packages/sonicwall_firewall/manifest.yml @@ -0,0 +1,72 @@ +format_version: 1.0.0 +name: sonicwall_firewall +title: "SonicWall Firewall" +version: 0.1.0 +license: basic +release: beta +description: "Integration for SonicWall firewall logs" +type: integration +categories: + - network + - security +conditions: + kibana.version: "^8.2.0" +screenshots: + - src: /img/dashboard.png + title: Sample dashboard + size: 911x1531 + type: image/png +icons: + - src: /img/logo.svg + title: SonicWall logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: sample + title: Sample logs + description: Collect sample logs + inputs: + - type: udp + title: Collect logs via syslog + description: Collecting logs via syslog + - type: logfile + title: Collect logs from file + description: Collecting logs from file +vars: + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sonicwall-firewall + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + +owner: + github: elastic/security-external-integrations