diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6613793aca2..0c1464db6d8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -843,6 +843,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Updated aws/cloudtrail fileset to ECS 1.8. {issue}23118[23118] {pull}23911[23911] - Upgrade juniper/srx to ecs 1.8.0. {issue}23118[23118] {pull}23936[23936] - Update mysqlenterprise module to ECS 1.8. {issue}23118[23118] {pull}23978[23978] +- Upgrade sophos/xg fileset to ECS 1.8.0. {issue}23118[23118] {pull}23967[23967] *Heartbeat* diff --git a/x-pack/filebeat/module/sophos/xg/config/config.yml b/x-pack/filebeat/module/sophos/xg/config/config.yml index 5a35058a55b..676d19f05d3 100644 --- a/x-pack/filebeat/module/sophos/xg/config/config.yml +++ b/x-pack/filebeat/module/sophos/xg/config/config.yml @@ -27,7 +27,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - add_fields: target: '_conf' fields: diff --git a/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml index bb2548bf941..a5c0b7c32cd 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml @@ -315,16 +315,18 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" - ############# ## Cleanup ## ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/atp.yml b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml index df6ed8b35ca..c659264d633 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/atp.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml @@ -206,14 +206,17 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml index a9dedb4070f..0b5f92c1e69 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml @@ -237,14 +237,17 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/event.yml b/x-pack/filebeat/module/sophos/xg/ingest/event.yml index 2565434a6f0..7d5c397587a 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/event.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/event.yml @@ -151,6 +151,11 @@ processors: field: source.user.name value: '{{sophos.xg.name}}' if: "ctx.sophos?.xg?.name != null" +- set: + field: user.name + value: '{{source.user.name}}' + ignore_empty_value: true + if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' - rename: field: sophos.xg.usergroupname target_field: source.user.group.name diff --git a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml index a9ad2eb988c..43ab892b8cc 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml @@ -401,22 +401,27 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.ip value: '{{source.nat.ip}}' + allow_duplicates: false if: 'ctx?.source?.nat?.ip != null' - append: field: related.ip value: '{{destination.nat.ip}}' + allow_duplicates: false if: 'ctx?.destination?.nat?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/idp.yml b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml index f10f964eb13..efd049cb580 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/idp.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml @@ -203,16 +203,17 @@ processors: - append: if: 'ctx?.source?.ip != null' field: related.ip - value: - - '{{source.ip}}' + value: '{{source.ip}}' + allow_duplicates: false - append: if: 'ctx?.destination?.ip != null' field: related.ip - value: - - '{{destination.ip}}' + value: '{{destination.ip}}' + allow_duplicates: false - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml index 8102bb92514..ef8599270e0 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml @@ -198,6 +198,11 @@ processors: } } ctx["host"]["name"] = name; +- append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: 'ctx.host?.name != null' ############# ## Cleanup ## diff --git a/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml index dce06fd1776..53f4a2f1884 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml @@ -106,14 +106,17 @@ processors: - append: field: related.ip value: "{{source.ip}}" + allow_duplicates: false if: "ctx.source?.ip != null" - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" - append: field: related.hash value: "{{file.hash.sha1}}" + allow_duplicates: false if: "ctx.file?.hash?.sha1 != null" - remove: field: diff --git a/x-pack/filebeat/module/sophos/xg/ingest/waf.yml b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml index 3cbf1383467..8e58395a3bf 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/waf.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml @@ -250,14 +250,17 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index a78e3c1ccb0..044a0b01f33 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -32,6 +32,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "server.bytes": 0, "server.port": 0, "service.type": "sophos", @@ -104,6 +107,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "server.bytes": 0, "server.ip": "185.8.209.194", "server.port": 25, @@ -192,6 +198,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "server.bytes": 0, "server.ip": "185.8.209.194", "server.port": 25, @@ -280,6 +289,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "server.bytes": 0, "server.ip": "185.8.209.194", "server.port": 25, @@ -355,6 +367,9 @@ "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.233.61", "server.port": 25, @@ -423,6 +438,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.234.240", "server.port": 25, @@ -491,6 +509,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, @@ -557,6 +578,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.16.204", "server.port": 25, @@ -624,6 +648,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, @@ -688,6 +715,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, @@ -755,6 +785,9 @@ "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.233.61", "server.port": 110, diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index 42590edbb33..65b2d6abdfd 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -46,6 +46,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.34.24", "13.226.155.93" @@ -124,6 +127,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.16.34.24", "13.226.155.18" @@ -199,6 +205,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "82.165.194.211", "186.8.209.194" @@ -284,6 +293,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "23.254.247.78", "185.7.209.194" @@ -365,6 +377,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.16.121", "10.198.234.240" @@ -436,6 +451,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.16.121", "10.198.234.240" @@ -509,6 +527,9 @@ "observer.serial_number": "SFDemo-2df0960", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.146.13.49", "10.8.142.181" @@ -574,6 +595,9 @@ "observer.serial_number": "SFDemo-2df0960", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.146.13.49", "10.8.142.181" diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 38c2694478e..a0230cb1dc4 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -40,6 +40,9 @@ "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.71", "46.161.30.47" @@ -112,6 +115,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.16.34.24", "13.226.155.22" @@ -180,6 +186,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.34.24", "13.226.155.22" @@ -245,6 +254,9 @@ "observer.serial_number": "C30006T22TGR89B", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.32.89", "82.211.30.202" diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index 84dc15e1aeb..c8bb6001058 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -38,6 +38,9 @@ "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.71", "182.79.221.19" @@ -114,6 +117,9 @@ "observer.serial_number": "S110000E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "5.5.5.15", "216.58.197.44" @@ -189,6 +195,9 @@ "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "5.5.5.15", "74.125.130.188" @@ -270,6 +279,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.34.10", "13.79.168.201" @@ -344,6 +356,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.34.15", "40.90.137.127" @@ -416,6 +431,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.34.15", "91.228.167.133" @@ -471,6 +489,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.108.108.49" ], @@ -537,6 +558,9 @@ "observer.serial_number": "C01001K234RXPA1", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "192.168.73.220", "64.233.189.147" @@ -609,6 +633,9 @@ "observer.serial_number": "C01001K234RXPA1", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "192.168.73.220", "64.233.188.94" diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index 89d6878ec6f..a237d2d2a36 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -27,6 +27,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.35.116" ], @@ -50,7 +53,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "elastic.user@elastic.test.com" }, { "@timestamp": "2020-05-18T14:38:58.000-02:00", @@ -80,6 +84,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "83.20.132.250", "214.167.51.66" @@ -137,6 +144,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.connectiontype": "0", "sophos.xg.device": "SFW", @@ -180,6 +190,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "83.9.140.96" ], @@ -211,7 +224,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "elastic.user@elastic.test.com" }, { "@timestamp": "2020-05-18T14:39:01.000-02:00", @@ -239,6 +253,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "XG230", @@ -274,6 +291,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "XG230", @@ -318,6 +338,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "217.250.157.135" ], @@ -349,7 +372,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "elastic.user@elastic.test.com" }, { "@timestamp": "2020-05-18T14:39:04.000-02:00", @@ -372,6 +396,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.user": [ "elastic.user@elastic.test.com" ], @@ -420,6 +447,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "91.67.201.4" ], @@ -452,7 +482,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "hendrikl" }, { "@timestamp": "2020-05-18T14:39:06.000-02:00", @@ -473,6 +504,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "XG230", @@ -510,6 +544,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.66.35.15" ], @@ -556,6 +593,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "XG230", @@ -591,6 +631,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.backup_mode": "'appliance' ", "sophos.xg.device": "SFW", @@ -637,6 +680,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "10.84.234.38" ], @@ -663,7 +709,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "elastic.user@elastic.test.com" }, { "@timestamp": "2018-06-06T11:12:10.000-02:00", @@ -684,6 +731,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "SG430", diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index 7f1e5d9190b..35557e557da 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -60,6 +60,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.34.15", "91.228.167.86", @@ -174,6 +177,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.66.155", "91.228.165.117", @@ -276,6 +282,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.35.113", "172.20.4.52" @@ -359,6 +368,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.82.234.6", "192.168.0.1" @@ -453,6 +465,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "51.77.56.9", "185.7.209.207" @@ -547,6 +562,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.35.101", "192.168.5.11" @@ -636,6 +654,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.36.105", "10.84.234.14" @@ -718,6 +739,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.82.234.9", "10.82.234.11" @@ -805,6 +829,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.84.234.7", "172.16.34.50" @@ -896,6 +923,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "192.168.1.254", "172.17.32.19" @@ -983,6 +1013,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.17.35.119", "172.16.34.10" @@ -1074,6 +1107,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.32.19", "8.8.8.8" @@ -1154,8 +1190,10 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ - "0.0.0.0", "0.0.0.0" ], "rule.id": "0", @@ -1235,6 +1273,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.38.184", "10.198.39.255" @@ -1318,6 +1359,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.32.19", "10.198.32.48" @@ -1396,6 +1440,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.37.23", "10.198.36.48" @@ -1483,6 +1530,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.12.19", "8.8.8.8" @@ -1564,6 +1614,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "fe80::59f5:3ce8:c98e:5062", "ff02::1:2" @@ -1644,6 +1697,9 @@ "observer.serial_number": "SFDemo-9a04c43", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.37.57", "10.198.32.19" @@ -1736,6 +1792,9 @@ "observer.serial_number": "SFDemo-9a04c43", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.37.57", "72.163.4.185" diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index d92a2b2e7e4..2dcaffd634e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -32,6 +32,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "89.40.182.58", "172.16.68.20" @@ -104,6 +107,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "117.50.11.192", "172.16.66.155" @@ -178,6 +184,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "77.61.185.101", "172.16.68.20" @@ -250,6 +259,9 @@ "observer.serial_number": "SFDemo-f64dd6be", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.0.0.168", "10.1.1.234" @@ -315,6 +327,9 @@ "observer.serial_number": "SFDemo-f64dd6be", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.0.1.31", "10.1.0.115" diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json index ed32ee3f213..acae45ad376 100644 --- a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -28,6 +28,9 @@ "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "CR750iNG-XP", @@ -77,6 +80,9 @@ "related.hash": [ "83cd339302bf5e8ed5240ca6383418089c337a81" ], + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.112" ], @@ -130,6 +136,9 @@ "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "CR750iNG-XP", @@ -178,6 +187,9 @@ "related.hash": [ "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" ], + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.112" ], @@ -237,6 +249,9 @@ "related.hash": [ "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" ], + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.112" ], @@ -296,6 +311,9 @@ "related.hash": [ "d910c4a81122c360fe57f67a04999425a65249db" ], + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "172.16.34.24" ], diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index ceed76baef1..9a3920dc168 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -42,6 +42,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "89.68.140.204", "185.8.209.207" @@ -123,6 +126,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "89.68.140.204", "185.8.209.207" @@ -196,6 +202,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "10.198.235.254", "10.198.233.48" @@ -264,6 +273,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.198.235.254", "10.198.233.48" @@ -339,6 +351,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "83.97.20.30", "216.167.51.72" diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json index 64aa8a24494..0568deab20f 100644 --- a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json @@ -18,6 +18,9 @@ "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.ap": "A40024A636F7862", "sophos.xg.clients_conn_ssid": "2", @@ -53,6 +56,9 @@ "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.ap": "A40024A636F7862", "sophos.xg.clients_conn_ssid": "3",