diff --git a/packages/sophos/_dev/deploy/docker/sample_logs/sophos-utm-generated.log b/packages/sophos/_dev/deploy/docker/sample_logs/sophos-utm-generated.log index cb9fa97790b..070d8c61636 100644 --- a/packages/sophos/_dev/deploy/docker/sample_logs/sophos-utm-generated.log +++ b/packages/sophos/_dev/deploy/docker/sample_logs/sophos-utm-generated.log @@ -98,3 +98,5 @@ 2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud 2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico 2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER +2019:04:08-11:21:55 galaxy ulogd[5009]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3000000014" initf="eth0" outitf="eth3" srcmac="00:50:56:c0:00:01" dstmac="00:0c:29:93:cc:85" srcip="192.168.168.1" dstip="172.30.30.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="57051" dstport="51130" tcpflags="SYN" +2019:04:08-11:22:05 gemini ulogd[8882]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62003" initf="eth0" srcmac="00:0c:29:93:cc:a3" dstmac="00:0c:29:69:57:8b" srcip="192.168.168.1" dstip="172.30.30.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="57096" dstport="51130" tcpflags="SYN" \ No newline at end of file diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index af7c875275c..5280809e22f 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.1" + changes: + - description: Format source.mac and destination.mac as per ECS for the UTM data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/3370 - version: "2.2.0" changes: - description: Improve inputs for Sophos XG pipeline. diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-packet-filter.json b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-packet-filter.json new file mode 100644 index 00000000000..52741a0f490 --- /dev/null +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-packet-filter.json @@ -0,0 +1,115 @@ +{ + "events": [ + { + "@timestamp": "2019-04-08T11:21:55.000Z", + "agent": { + "ephemeral_id": "e311f248-bcfe-40fa-a92c-75047bac1b66", + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.1.3" + }, + "data_stream": { + "dataset": "sophos.utm", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "172.30.30.1", + "mac": "00:0c:29:93:cc:85", + "port": 51130 + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "snapshot": false, + "version": "8.1.3" + }, + "event": { + "code": "ulogd", + "dataset": "sophos.utm", + "original": "2019:04:08-11:21:55 galaxy ulogd[5009]: id=\"2002\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"Packet accepted\" action=\"accept\" fwrule=\"3000000014\" initf=\"eth0\" outitf=\"eth3\" srcmac=\"00:50:56:c0:00:01\" dstmac=\"00:0c:29:93:cc:85\" srcip=\"192.168.168.1\" dstip=\"172.30.30.1\" proto=\"6\" length=\"52\" tos=\"0x00\" prec=\"0x00\" ttl=\"127\" srcport=\"57051\" dstport=\"51130\" tcpflags=\"SYN\"", + "timezone": "+00:00" + }, + "host": { + "name": "galaxy" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/sophos-utm-generated.log" + }, + "level": "info", + "offset": 24605 + }, + "message": "\"Packet", + "observer": { + "egress": { + "interface": { + "name": "eth3" + } + }, + "ingress": { + "interface": { + "name": "eth0" + } + }, + "product": "UTM", + "type": "Firewall", + "vendor": "Sophos" + }, + "process": { + "pid": 5009 + }, + "related": { + "ip": [ + "172.30.30.1", + "192.168.168.1" + ] + }, + "rsa": { + "internal": { + "event_desc": "\"Packet", + "messageid": "ulogd" + }, + "investigations": { + "ec_activity": "Scan", + "ec_subject": "NetworkComm", + "ec_theme": "TEV", + "event_cat": 1901000000, + "event_cat_name": "Other.Default" + }, + "misc": { + "policy_id": "3000000014", + "rule": "2002", + "severity": "info", + "vsys": "SecureNet" + }, + "network": { + "alias_host": [ + "galaxy" + ], + "dinterface": "eth3", + "network_service": "packetfilter", + "sinterface": "eth0" + }, + "time": { + "event_time": "2019-04-08T11:21:55.000Z" + } + }, + "source": { + "ip": "192.168.168.1", + "mac": "00:50:56:c0:00:01", + "port": 57051 + }, + "tags": [ + "sophos-utm", + "forwarded" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-packet-filter.json-expected.json b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-packet-filter.json-expected.json new file mode 100644 index 00000000000..f983d64c2a3 --- /dev/null +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-packet-filter.json-expected.json @@ -0,0 +1,117 @@ +{ + "expected": [ + { + "@timestamp": "2019-04-08T11:21:55.000Z", + "agent": { + "ephemeral_id": "e311f248-bcfe-40fa-a92c-75047bac1b66", + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.1.3" + }, + "data_stream": { + "dataset": "sophos.utm", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "172.30.30.1", + "mac": "00-0C-29-93-CC-85", + "port": 51130 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "snapshot": false, + "version": "8.1.3" + }, + "event": { + "code": "ulogd", + "dataset": "sophos.utm", + "original": "2019:04:08-11:21:55 galaxy ulogd[5009]: id=\"2002\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"Packet accepted\" action=\"accept\" fwrule=\"3000000014\" initf=\"eth0\" outitf=\"eth3\" srcmac=\"00:50:56:c0:00:01\" dstmac=\"00:0c:29:93:cc:85\" srcip=\"192.168.168.1\" dstip=\"172.30.30.1\" proto=\"6\" length=\"52\" tos=\"0x00\" prec=\"0x00\" ttl=\"127\" srcport=\"57051\" dstport=\"51130\" tcpflags=\"SYN\"", + "timezone": "+00:00" + }, + "host": { + "name": "galaxy" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/sophos-utm-generated.log" + }, + "level": "info", + "offset": 24605 + }, + "message": "\"Packet", + "observer": { + "egress": { + "interface": { + "name": "eth3" + } + }, + "ingress": { + "interface": { + "name": "eth0" + } + }, + "product": "UTM", + "type": "Firewall", + "vendor": "Sophos" + }, + "process": { + "pid": 5009 + }, + "related": { + "hosts": [ + "galaxy" + ], + "ip": [ + "172.30.30.1", + "192.168.168.1" + ] + }, + "rsa": { + "internal": { + "event_desc": "\"Packet", + "messageid": "ulogd" + }, + "investigations": { + "ec_activity": "Scan", + "ec_subject": "NetworkComm", + "ec_theme": "TEV", + "event_cat": 1901000000, + "event_cat_name": "Other.Default" + }, + "misc": { + "policy_id": "3000000014", + "rule": "2002", + "severity": "info", + "vsys": "SecureNet" + }, + "network": { + "alias_host": [ + "galaxy" + ], + "dinterface": "eth3", + "network_service": "packetfilter", + "sinterface": "eth0" + }, + "time": { + "event_time": "2019-04-08T11:21:55.000Z" + } + }, + "source": { + "ip": "192.168.168.1", + "mac": "00-50-56-C0-00-01", + "port": 57051 + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml index ca123a17d4d..0ccb6ce73ab 100644 --- a/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml @@ -1,10 +1,26 @@ --- -description: Pipeline for Astaro Security Gateway +description: Pipeline for Sophos UTM (formerly Astaro Security Gateway). processors: - set: field: ecs.version value: '8.2.0' + - gsub: + field: destination.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - gsub: + field: source.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - uppercase: + field: destination.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true # User agent - user_agent: field: user_agent.original diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index 45b40c08b73..dfe23ea68ab 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 2.2.0 +version: "2.2.1" description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga