Skip to content

Commit f32f4e2

Browse files
kai-hershaeqahmed
kai-her
authored and
shaeqahmed
committed
Add Zscaler ZIA Firewall logs & tests
1 parent 66bb411 commit f32f4e2

11 files changed

+774
-2
lines changed

.gitignore

+2-1
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,5 @@ __pycache__
55
vrl-web
66
.DS_Store
77
log_source_generated.yml.go
8-
**/*log_source_generated.yml.go
8+
**/*log_source_generated.yml.go
9+
.vscode

examples/zscaler_zia_firewall/fields/agent.yml

+183
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,183 @@
1+
- name: cloud
2+
title: Cloud
3+
group: 2
4+
description: Fields related to the cloud or infrastructure the events are coming from.
5+
footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
6+
type: group
7+
fields:
8+
- name: account.id
9+
level: extended
10+
type: keyword
11+
ignore_above: 1024
12+
description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
13+
example: 666777888999
14+
- name: availability_zone
15+
level: extended
16+
type: keyword
17+
ignore_above: 1024
18+
description: Availability zone in which this host is running.
19+
example: us-east-1c
20+
- name: instance.id
21+
level: extended
22+
type: keyword
23+
ignore_above: 1024
24+
description: Instance ID of the host machine.
25+
example: i-1234567890abcdef0
26+
- name: instance.name
27+
level: extended
28+
type: keyword
29+
ignore_above: 1024
30+
description: Instance name of the host machine.
31+
- name: machine.type
32+
level: extended
33+
type: keyword
34+
ignore_above: 1024
35+
description: Machine type of the host machine.
36+
example: t2.medium
37+
- name: provider
38+
level: extended
39+
type: keyword
40+
ignore_above: 1024
41+
description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
42+
example: aws
43+
- name: region
44+
level: extended
45+
type: keyword
46+
ignore_above: 1024
47+
description: Region in which this host is running.
48+
example: us-east-1
49+
- name: project.id
50+
type: keyword
51+
description: Name of the project in Google Cloud.
52+
- name: image.id
53+
type: keyword
54+
description: Image ID for the cloud instance.
55+
- name: container
56+
title: Container
57+
group: 2
58+
description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.'
59+
type: group
60+
fields:
61+
- name: id
62+
level: core
63+
type: keyword
64+
ignore_above: 1024
65+
description: Unique container id.
66+
- name: image.name
67+
level: extended
68+
type: keyword
69+
ignore_above: 1024
70+
description: Name of the image the container was built on.
71+
- name: labels
72+
level: extended
73+
type: object
74+
object_type: keyword
75+
description: Image labels.
76+
- name: name
77+
level: extended
78+
type: keyword
79+
ignore_above: 1024
80+
description: Container name.
81+
- name: host
82+
title: Host
83+
group: 2
84+
description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
85+
type: group
86+
fields:
87+
- name: architecture
88+
level: core
89+
type: keyword
90+
ignore_above: 1024
91+
description: Operating system architecture.
92+
example: x86_64
93+
- name: domain
94+
level: extended
95+
type: keyword
96+
ignore_above: 1024
97+
description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
98+
example: CONTOSO
99+
default_field: false
100+
- name: hostname
101+
level: core
102+
type: keyword
103+
ignore_above: 1024
104+
description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.'
105+
- name: id
106+
level: core
107+
type: keyword
108+
ignore_above: 1024
109+
description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.'
110+
- name: ip
111+
level: core
112+
type: ip
113+
description: Host ip addresses.
114+
- name: mac
115+
level: core
116+
type: keyword
117+
ignore_above: 1024
118+
description: Host mac addresses.
119+
- name: name
120+
level: core
121+
type: keyword
122+
ignore_above: 1024
123+
description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
124+
- name: os.family
125+
level: extended
126+
type: keyword
127+
ignore_above: 1024
128+
description: OS family (such as redhat, debian, freebsd, windows).
129+
example: debian
130+
- name: os.kernel
131+
level: extended
132+
type: keyword
133+
ignore_above: 1024
134+
description: Operating system kernel version as a raw string.
135+
example: 4.4.0-112-generic
136+
- name: os.name
137+
level: extended
138+
type: keyword
139+
ignore_above: 1024
140+
multi_fields:
141+
- name: text
142+
type: text
143+
norms: false
144+
default_field: false
145+
description: Operating system name, without the version.
146+
example: Mac OS X
147+
- name: os.platform
148+
level: extended
149+
type: keyword
150+
ignore_above: 1024
151+
description: Operating system platform (such centos, ubuntu, windows).
152+
example: darwin
153+
- name: os.version
154+
level: extended
155+
type: keyword
156+
ignore_above: 1024
157+
description: Operating system version as a raw string.
158+
example: 10.14.1
159+
- name: type
160+
level: core
161+
type: keyword
162+
ignore_above: 1024
163+
description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
164+
- name: containerized
165+
type: boolean
166+
description: >
167+
If the host is a container.
168+
- name: os.build
169+
type: keyword
170+
example: "18D109"
171+
description: >
172+
OS build information.
173+
- name: os.codename
174+
type: keyword
175+
example: "stretch"
176+
description: >
177+
OS codename, if any.
178+
- name: input.type
179+
type: keyword
180+
description: Input type
181+
- name: log.offset
182+
type: long
183+
description: Log offset

examples/zscaler_zia_firewall/fields/base-fields.yml

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
- name: data_stream.type
2+
type: constant_keyword
3+
description: Data stream type.
4+
- name: data_stream.dataset
5+
type: constant_keyword
6+
description: Data stream dataset.
7+
- name: data_stream.namespace
8+
type: constant_keyword
9+
description: Data stream namespace.
10+
- name: '@timestamp'
11+
type: date
12+
description: Event timestamp.
13+
- name: event.module
14+
type: constant_keyword
15+
description: Event module.
16+
value: zscaler_zia
17+
- name: event.dataset
18+
type: constant_keyword
19+
description: Event dataset.
20+
value: zscaler_zia.firewall

examples/zscaler_zia_firewall/fields/ecs.yml

+42
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
- external: ecs
2+
name: destination.bytes
3+
- external: ecs
4+
name: destination.geo.country_name
5+
- external: ecs
6+
name: destination.ip
7+
- external: ecs
8+
name: destination.port
9+
- external: ecs
10+
name: ecs.version
11+
- external: ecs
12+
name: event.action
13+
- external: ecs
14+
name: event.duration
15+
- external: ecs
16+
name: network.application
17+
- external: ecs
18+
name: network.community_id
19+
- external: ecs
20+
name: network.protocol
21+
- external: ecs
22+
name: network.transport
23+
- external: ecs
24+
name: related.hosts
25+
- external: ecs
26+
name: related.ip
27+
- external: ecs
28+
name: related.user
29+
- external: ecs
30+
name: rule.name
31+
- external: ecs
32+
name: source.bytes
33+
- external: ecs
34+
name: source.ip
35+
- external: ecs
36+
name: source.port
37+
- external: ecs
38+
name: tags
39+
- external: ecs
40+
name: user.email
41+
- external: ecs
42+
name: user.name

examples/zscaler_zia_firewall/fields/fields.yml

+105
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
- name: zscaler_zia.firewall
2+
type: group
3+
fields:
4+
- name: department
5+
type: keyword
6+
description: |
7+
Department of the user.
8+
- name: location
9+
type: group
10+
fields:
11+
- name: name
12+
type: keyword
13+
description: |
14+
Name of the location from which the session was initiated.
15+
- name: client
16+
type: group
17+
fields:
18+
- name: destination
19+
type: group
20+
fields:
21+
- name: port
22+
type: long
23+
description: |
24+
Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate.
25+
- name: ip
26+
type: ip
27+
description: |
28+
Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate.
29+
- name: server
30+
type: group
31+
fields:
32+
- name: source
33+
type: group
34+
fields:
35+
- name: port
36+
type: long
37+
description: |
38+
Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate.
39+
- name: ip
40+
type: ip
41+
description: |
42+
Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate.
43+
- name: tunnel
44+
type: group
45+
fields:
46+
- name: ip
47+
type: ip
48+
description: |
49+
Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate.
50+
- name: port
51+
type: long
52+
description: |
53+
Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate.
54+
- name: type
55+
type: keyword
56+
description: |
57+
Traffic forwarding method used to send the traffic to the firewall.
58+
- name: nat
59+
type: keyword
60+
description: |
61+
Indicates if the destination NAT policy was applied.
62+
- name: stateful
63+
type: keyword
64+
- name: aggregate
65+
type: keyword
66+
- name: ip_category
67+
type: keyword
68+
description: |
69+
URL category that corresponds to the server IP address.
70+
- name: duration
71+
type: group
72+
fields:
73+
- name: avg
74+
type: long
75+
description: |
76+
Average session duration, in milliseconds, if the sessions were aggregated.
77+
- name: seconds
78+
type: long
79+
description: |
80+
Average session duration, in milliseconds, if the sessions were aggregated.
81+
- name: milliseconds
82+
type: long
83+
description: |
84+
Session or request duration in milliseconds.
85+
- name: session
86+
type: group
87+
fields:
88+
- name: count
89+
type: double
90+
description: |
91+
Number of sessions that were aggregated.
92+
- name: threat
93+
type: group
94+
fields:
95+
- name: category
96+
type: keyword
97+
description: |
98+
Category of the threat in the Firewall session by the IPS engine.
99+
- name: name
100+
type: keyword
101+
description: |
102+
Name of the threat detected in the Firewall session by the IPS engine.
103+
- name: log.source.address
104+
type: keyword
105+
description: Source address from which the log event was read / sent from.

examples/zscaler_zia_firewall/log_output_format.txt

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
\{ "datetime" : "%s{time}", "user" : "%s{elogin}", "department" : "%s{edepartment}", "locationname" : "%s{elocation}", "cdport" : "%d{cdport}", "csport" : "%d{csport}", "sdport": "%d(sdport}", "ssport": "%d(ssport}", "csip" : "%s{csip}", "cdip" : "%s{cdip}", "ssip" : "%s{ssip}", "sdip" : "%s{sdip}", "tsip" : "%s{tsip}", "tunsport" : "%d{tsport}", "tuntype" : "%s{ttype}", "action" : "%s{action}", "dnat" : "%s{dnat}", "stateful" : "%s{stateful}", "aggregate" : "%s{aggregate}", "nwsvc" : "%s{nwsvc}", "nwapp" : "%s{nwapp}", "proto" : "%s{ipproto}", "ipcat" : "%s{ipcat}", "destcountry" : "%s{destcountry}", "avgduration" : "%d{avgduration}", "rulelabel" : "%s{erulelabel}", "inbytes" : "%ld{inbytes}", "outbyes" : "%ld{outbytes}", "duration" : "%d{duration}", "durationms" : "%d{durationms}", "numsessions" : "%d{numsessions}", "ipsrulelabel" : "%s{ipsrulelabel}", "threatcat" : "%s{threatcat}", "threatname" : "%s{threatname}", "deviceowner" : "%s{deviceowner}", "devicehostname" : "%s{devicehostname}" \}

0 commit comments

Comments
 (0)