Skip to content

Commit

Permalink
Updated SWG for better performance
Browse files Browse the repository at this point in the history
  • Loading branch information
@brian-grabau
brian-grabau committed Aug 1, 2024
1 parent c0a4c96 commit 11009ac
Showing 1 changed file with 41 additions and 64 deletions.
105 changes: 41 additions & 64 deletions config/processors/syslog_security_skyhigh.swg.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,101 +9,58 @@ input {
}
filter {
mutate {
remove_field => [ "host","event" ]
add_field => { "[event][module]" => "skyhigh" }
add_field => { "[event][dataset]" => "skyhigh.swg" }
copy => { "message" => "[event][original]" }
}
grok {
tag_on_failure => "_parsefailure_header"
match => { "message" => "(^(.*?)(<(?<pri>\d+)>)(\s)?(?<actual_msg>.*$))|(^(?<actual_msg>.*)$)" }
match => { "message" => "^(.*?)(<(?<pri>\d+)>)(\s)?.*?mwg:( )?(?<tmp_csv>.*?)$" }
timeout_millis => 500

}
syslog_pri {
syslog_pri_field_name => "pri"
remove_field => [ "pri" ]
ecs_compatibility => v8
}
### If regular MWG traffic log
if [message] =~ "mprob=" {
if [tmp_csv] !~ "\w,\w" {
dissect {
tag_on_failure => "_dissectfailure_2"
tag_on_failure => "_dissectfailure_1"
mapping => {
"actual_msg" => '%{?data} ts=%{[[event][created]]}, sip=%{[[source][ip]]}, usr=%{[[user][name]]}, sprt=%{[[source][port]]}, stat=%{[[http][response][status_code]]}, cat=%{[[rule][category]]}, sev=%{[[event][severity_name]]}, media=%{[[http][request][body][content]]}, rbytes=%{[[http][response][bytes]]}, sbytes=%{[[http][request][bytes]]}, agent=%{[[user_agent][original]]}, virus=%{[[rule][name]]}, mprob=%{[[event][risk_score]]}, blockid=%{[[rule][id]]}, block=%{[[rule][ruleset]]}, app=%{[[network][application]]}, dip=%{[[destination][ip]]}, dprt=%{[[destination][port]]}, sslcertserialclient=%{[[tls][client][certificate]]}, sslcipherclient=%{[[tls][client][supported_ciphers]]}, sslversionclient=%{[[tls][client][x509][version_number]]}, sslcnsrvr=%{[[tls][server][issuer]]}, sslsha1digestsrvr=%{[[tls][server][hash][sha1]]}, sslsha2digestsrvr=%{[[tls][server][hash][sha256]]}, sslsigmethodserver=%{[[tls][server][x509][signature_algorithm]]}, sslciphersrvrt=%{[tls][cipher]}, sslversionsrvr=%{[[tls][version]]}, rule=%{[rule][uuid]}, method=%{tmp}'
"tmp_csv" => 'ts=[%{[event][created]}], sip=%{[[source][ip]]}, usr=%{[[user][name]]}, sprt=%{[[source][port]]}, stat=%{[[http][response][status_code]]}, cat=%{[[rule][category]]}, sev=%{[[event][severity_name]]}, media=%{[[http][response][mime_type]]}, rbytes=%{[[http][request][bytes]]}, sbytes=%{[[http][response][bytes]]}, agent=%{[[user_agent][original]]}, virus=%{[[rule][name]]}, mprob=%{[[event][risk_score]]}, blockid=%{[[rule][id]]}, block=%{[[rule][ruleset]]}, app=%{[[process][name]]}, dip=%{[[destination][ip]]}, dprt=%{[[destination][port]]}, connection type=%{[[tmp][connection_type]]}, sslcertserialclient=%{[[tls][client][x509][serial_number]]}, sslcipherclient=%{[[tls][client][supported_ciphers]]}, sslversionclient=%{[[tls][client][x509][version_number]]}, sslcnsrvr=%{[[tls][server][issuer]]}, sslsha1digestsrvr=%{[[tls][server][hash][sha1]]}, sslsha2digestsrvr=%{[[tls][server][hash][sha256]]}, sslsigmethodserver=%{[[tls][server][x509][signature_algorithm]]}, sslciphersrvrt=%{[[tls][cipher]]}, sslversionsrvr=%{[[tls][version]]}, rule=%{[[rule][uuid]]}, method=%{[[tmp][method]]}, ref=%{[[http][request][referrer]]},'
}
}
} else if [message] =~ "method=" {
dissect {
tag_on_failure => "_dissectfailure_3"
mapping => {
"actual_msg" => '%{?data} ts=%{[[event][created]]}, sip=%{[[source][ip]]}, usr=%{[[user][name]]}, sprt=%{[[source][port]]}, stat=%{[[http][response][status_code]]}, cat=%{[[rule][category]]}, sev=%{[[event][severity_name]]}, media=%{[[http][request][body][content]]}, rbytes=%{[[http][response][bytes]]}, sbytes=%{[[http][request][bytes]]}, agent=%{[[user_agent][original]]}, virus=%{[[rule][name]]}, blockid=%{[[rule][id]]}, block=%{[[rule][ruleset]]}, app=%{[[network][application]]}, dip=%{[[destination][ip]]}, dprt=%{[[destination][port]]}, sslcertserialclient=%{[[tls][client][certificate]]}, sslcipherclient=%{[[tls][client][supported_ciphers]]}, sslversionclient=%{[[tls][client][x509][version_number]]}, sslcnsrvr=%{[[tls][server][issuer]]}, sslsha1digestsrvr=%{[[tls][server][hash][sha1]]}, sslsha2digestsrvr=%{[[tls][server][hash][sha256]]}, sslsigmethodserver=%{[[tls][server][x509][signature_algorithm]]}, sslciphersrvrt=%{[tls][cipher]}, sslversionsrvr=%{[[tls][version]]}, rule=%{[rule][uuid]}, method=%{tmp}'
}
}
### MWG error logs
} else if [message] =~ "Severity: " {
mutate {
gsub => ["message",'[\"]',","]
}
dissect {
tag_on_failure => "_dissectfailure_4"
mapping => {
"actual_msg" => "%{?data} %{?data} %{?data} %{ob[server][address]]} %{rest_msg}"
}
}
if [rest_msg] =~ "user" {
if "_dissectfailure_1" in [tags] {
dissect {
tag_on_failure => "_dissectfailure_5"
tag_on_failure => "_dissectfailure_2"
mapping => {
rest_msg => "%{?data},%{?data},%{?data},%{[[error][message]]},%{?data},%{?data} ,%{[[user][name]]}, (%{[[source][ip]]}),%{?data},Severity: %{[[log][level]]}"
"tmp_csv" => 'ts=[%{[event][created]}], sip=%{[[source][ip]]}, usr=%{[[user][name]]}, sprt=%{[[source][port]]}, stat=%{[[http][response][status_code]]}, cat=%{[[rule][category]]}, sev=%{[[event][severity_name]]}, media=%{[[http][response][mime_type]]}, rbytes=%{[[http][request][bytes]]}, sbytes=%{[[http][response][bytes]]}, agent=%{[[user_agent][original]]}, virus=%{[[rule][name]]}, mprob=%{[[event][risk_score]]}, blockid=%{[[rule][id]]}, block=%{[[rule][ruleset]]}, app=%{[[process][name]]}, dip=%{[[destination][ip]]}, dprt=%{[[destination][port]]}, sslcertserialclient=%{[[tls][client][x509][serial_number]]}, sslcipherclient=%{[[tls][client][supported_ciphers]]}, sslversionclient=%{[[tls][client][x509][version_number]]}, sslcnsrvr=%{[[tls][server][issuer]]}, sslsha1digestsrvr=%{[[tls][server][hash][sha1]]}, sslsha2digestsrvr=%{[[tls][server][hash][sha256]]}, sslsigmethodserver=%{[[tls][server][x509][signature_algorithm]]}, sslciphersrvrt=%{[[tls][cipher]]}, sslversionsrvr=%{[[tls][version]]}, rule=%{[[rule][uuid]]}, method=%{[[tmp][method]]}, ref=%{[[http][request][referrer]]}'
}
remove_tag => [ "_dissectfailure_1" ]
}
} else {
dissect {
tag_on_failure => "_dissectfailure_6"
mapping => {
rest_msg => "%{?data},%{?data},%{?data},%{[[event][reason]]},%{?data},%{[[error][message]]},%{?data},Severity: %{[[log][level]]}"
}
}
} else {
dissect {
tag_on_failure => "_dissectfailure_3"
mapping => {
"tmp_csv" => ' usr=%{[[user][name]]},sip=%{[[source][ip]]},sprt=%{[[source][port]]},agent=%{[[user_agent][original]]},app=%{[[process][name]]},dip=%{[[destination][ip]]},dprt=%{[[destination][port]]},ver=%{[[tls][next_protocol]]},method=%{[[tmp][method]]},url=%{[[observer][ip]]},virus=%{[[rule][name]]},ref=%{[[http][request][referrer]]}'
}
}
}
mutate {
gsub => [
"[event][created]", "\[", "",
"[event][created]", "\]", ""
]
}
if [tmp] !~ "ref=.*?$" {
if [tmp_csv] !~ "ref=.*?$" {
mutate {
# identify long uri i.e. possible DNS exfiltration
add_tag => "long uri"
}
}

# URI
grok {
match => { "tmp" => "^(?<[http][request][method]>.*?) (?<[url][full]>.*?)( |$)((?<[tls][next_protocol]>.*?))?(,|)( ref=(?<[http][request][referrer]>.*?))?( |)$"}
tag_on_failure => "_grokparsefailure_url"
match => { "[tmp][method]" => "^(?<[http][request][method]>.*?) (?<[url][full]>.*?)( |$)((?<[tls][next_protocol]>.*?).*$)?" }
tag_on_failure => "_grokparsefailure_uri"
timeout_millis => 500
}

if [event][created] {
date {
# "26/aug/2020:19:35:09.533 +0000"
# ts=[12/oct/2020:17:24:01 +0000]
match => ["[event][created]","MMM dd HH:mm:ss","ISO8601","dd/MMM/yyyy:HH:mm:ss ZZ" ]
timezone => "GMT"
locale => "en"
target => "[event][created]"
tag_on_failure => "_dateparsefailure_ec"
}
if "_dateparsefailure" in [tags] {
mutate {
remove_field => ["[event][created]"]
}
}
}

mutate {
remove_field => [ "actual_msg", "tmp", "rest_msg"]
}

translate {
source => "[[rule][id]]"
target => "[rule][description]"
Expand Down Expand Up @@ -161,6 +118,26 @@ filter {
add_field => { "[event][action]" => "denied" }
}
}

if [event][created] {
date {
# "26/aug/2020:19:35:09.533 +0000"
# ts=[12/oct/2020:17:24:01 +0000]
match => ["[event][created]", "ISO8601","MMM dd HH:mm:ss","dd/MMM/yyyy:HH:mm:ss ZZ" ]
timezone => "GMT"
locale => "en"
target => "[event][created]"
tag_on_failure => "_dateparsefailure_ec"
}
}
if [http][request][referrer] == "," {
mutate {
remove_field => ["[http][request][referrer]"]
}
}
mutate {
remove_field => [ "tmp", "tmp_csv" ]
}
}
output {
pipeline { send_to => [enrichments] }
Expand Down

0 comments on commit 11009ac

Please sign in to comment.