Skip to content

[Sophos] UTM data stream: replace Javascript processing with ingest pipelines #6816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jul 24, 2023
Merged

[Sophos] UTM data stream: replace Javascript processing with ingest pipelines #6816

merged 14 commits into from
Jul 24, 2023

Conversation

chemamartinez
Copy link
Contributor

What does this PR do?

This pull request updates the Sophos integration to:

  • Support DNS, DHCP, HTTP, and Packet Filter logs from UTM. Ingest pipelines have been added to process those events in favor of the current Javascript scripts.
  • Created dashboards for the event types mentioned below.
  • Fixed a small issue in the xg data stream about an incompatible event type and category.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

Screenshots

Integration page and configuration
Screenshot 2023-07-05 at 08 52 21

Screenshot 2023-07-05 at 00 05 16

Dashboards

sophos-utm-overview

sophos-utm-dhcp

sophos-utm-http

sophos-utm-packetfilter

@chemamartinez chemamartinez self-assigned this Jul 5, 2023
@chemamartinez chemamartinez marked this pull request as ready for review July 5, 2023 07:16
@chemamartinez chemamartinez requested a review from a team as a code owner July 5, 2023 07:16
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented Jul 5, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-07-24T10:08:14.705+0000

  • Duration: 19 min 41 sec

Test stats 🧪

Test Results
Failed 0
Passed 38
Skipped 0
Total 38

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

elasticmachine commented Jul 5, 2023
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (2/2) 💚
Files 100.0% (17/17) 💚
Classes 100.0% (17/17) 💚
Methods 100.0% (125/125) 💚 4.673
Lines 90.899% (2487/2736) 👍 9.911
Conditionals 100.0% (0/0) 💚

P1llus
P1llus reviewed Jul 5, 2023
View reviewed changes
Copy link
Member

@P1llus P1llus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not reviewed packetfilter yet, nor the pipelines, just the test logs and expected.json for them. Will do the rest a bit later.

packages/sophos/data_stream/utm/_dev/test/pipeline/test-sophos-utm-dhcp.log-expected.json
]
},
"host": {
"hostname": "sophos-test-vm2"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these the host or the observer? I would say its the observer maybe? Unsure if it was SIEM that required host.name or host.hostname for it to appear, but we could check that out if necessary.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say it is the hostname where the original log was created since Sophos reads directly from the original log files, based on the list here. In addition, the timestamp read from logs is considered the original timestamp of the event.

But, I am not 100% sure here.

packages/sophos/data_stream/utm/_dev/test/pipeline/test-sophos-utm-http.log-expected.json Outdated
"country": "United States",
"dnstime": 5,
"filteraction": "REF_HTTP_ACTION",
"fullreqtime": 32181,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this match with event.duration? Unsure as I have not checked their docs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems so, but I am not 100% sure either, most of HTTP events have several time-related fields, such as:

authtime="0" dnstime="249" aptptime="0" cattime="206" avscantime="0" fullreqtime="1499"

It is complicated to say for sure as I couldn't find any docs related to these fields.

@chemamartinez chemamartinez requested a review from P1llus July 18, 2023 06:59
efd6
efd6 reviewed Jul 19, 2023
View reviewed changes
packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml
Comment on lines +28 to 29
value: start
if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.event?.code)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For future spelunkers, https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LogMessages.html.

@chemamartinez chemamartinez requested a review from efd6 July 24, 2023 07:20
@chemamartinez chemamartinez merged commit 42f49ac into elastic:main Jul 24, 2023
@elasticmachine
Copy link

Package sophos - 3.0.0 containing this change is available at https://epr.elastic.co/search?package=sophos

4 similar comments
@elasticmachine
Copy link

Package sophos - 3.0.0 containing this change is available at https://epr.elastic.co/search?package=sophos

@elasticmachine
Copy link

Package sophos - 3.0.0 containing this change is available at https://epr.elastic.co/search?package=sophos

@elasticmachine
Copy link

Package sophos - 3.0.0 containing this change is available at https://epr.elastic.co/search?package=sophos

@elasticmachine
Copy link

Package sophos - 3.0.0 containing this change is available at https://epr.elastic.co/search?package=sophos

@chemamartinez chemamartinez deleted the 6184-sophos-utm branch February 6, 2025 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

@P1llus P1llus Awaiting requested review from P1llus

Assignees

@chemamartinez chemamartinez

Labels
enhancement New feature or request Integration:sophos Sophos
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sophos UTM
4 participants
@chemamartinez @elasticmachine @P1llus @efd6