{ "v": 1, "id": "544fc099-7a53-4a48-9a58-833fdfc37a9a", "rev": 1, "name": "Sophos XG", "summary": "A graylog content pack for the Sophos XG Firewall", "description": "Content:\n - UDP Input with extractor rules\n - Dashboard\n - Pipeline with rules\n - Search\n - And more", "vendor": "Jeff Singleton (@HackDefendr)", "url": "https://github.com/hackdefendr/SophosXG_Graylog", "parameters": [], "entities": [ { "v": "1", "type": { "name": "lookup_adapter", "version": "1" }, "id": "179528cc-f30e-49d8-ab7b-282434939175", "data": { "name": { "@type": "string", "@value": "geoip" }, "title": { "@type": "string", "@value": "GeoIP" }, "description": { "@type": "string", "@value": "GeoIP Lookup Table" }, "configuration": { "type": { "@type": "string", "@value": "maxmind_geoip" }, "path": { "@type": "string", "@value": "/etc/graylog/server/GeoLite2-City.mmdb" }, "database_type": { "@type": "string", "@value": "MAXMIND_CITY" }, "check_interval": { "@type": "long", "@value": 1 }, "check_interval_unit": { "@type": "string", "@value": "MINUTES" } } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "1605d88b-2691-4f58-9acb-82e52ea4e3d6", "data": { "title": { "@type": "string", "@value": "GeoIP lookup: src_ip" }, "description": { "@type": "string", "@value": "Source GeoIP Lookup" }, "source": { "@type": "string", "@value": "rule \"GeoIP lookup: src_ip\"\n when\n has_field(\"src_ip\")\n then\n let geo = lookup(\"geoip\", to_string($message.src_ip));\n set_field(\"src_ip_geo_location\", geo[\"coordinates\"]);\n set_field(\"src_country_code\", geo[\"country\"].iso_code);\n set_field(\"src_ip_geo_city\", geo[\"city\"].names.en);\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "c02a81ee-1732-4920-8867-d04f5570d846", "data": { "title": { "@type": "string", "@value": "XG Log Type" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"XG Log Type\"\nwhen\n to_string($message.source) == \"SFW\"\nthen\n set_fields(\n grok(\n pattern: \"log_type=%{QUOTEDSTRING:log_type} log_component=%{QUOTEDSTRING:log_component} log_subtype=%{QUOTEDSTRING:log_sub_type}\",\n value: to_string($message.message),\n only_named_captures: true\n )\n );\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "search", "version": "1" }, "id": "2ad3752f-fa8e-4062-9390-03a85b40616a", "data": { "summary": { "@type": "string", "@value": "" }, "search": { "queries": [ { "id": "b5e767e9-cd0c-42a9-94d7-8530d3da1880", "timerange": { "type": "relative", "range": 86400 }, "filter": { "type": "or", "filters": [ { "type": "stream", "filters": null, "id": "d7e8152b-6063-4a17-ba4a-1db0c0e008a5", "title": null } ] }, "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "search_types": [ { "query": null, "name": "chart", "timerange": null, "streams": [], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "time", "field": "timestamp", "interval": { "type": "auto", "scaling": 1 } } ], "type": "pivot", "id": "e754ccda-e8f5-4564-a234-e7f71a5fbcb2", "column_groups": [], "sort": [] }, { "query": null, "name": null, "timerange": null, "offset": 0, "streams": [], "filter": null, "decorators": [ { "id": "5ecaf9adcb6890d9f8e385b8", "type": "org.graylog2.decorators.SyslogSeverityMapperDecorator", "config": { "source_field": "priority", "target_field": "severity" }, "stream": null, "order": 0 } ], "type": "messages", "id": "61e6edac-a116-4c31-859b-d289f732d0de", "limit": 150 } ] } ], "parameters": [], "requires": {}, "owner": "admin", "created_at": "2020-05-29T01:45:05.779Z" }, "created_at": "2020-05-24T13:12:08.441Z", "requires": {}, "state": { "b5e767e9-cd0c-42a9-94d7-8530d3da1880": { "selected_fields": null, "static_message_list_id": null, "titles": { "widget": { "7d526158-ccc5-449b-a48e-9169ba106710": "Message Count", "8748bcba-1813-4b0c-9ede-2af6eadca6b6": "All Messages" } }, "widgets": [ { "id": "8748bcba-1813-4b0c-9ede-2af6eadca6b6", "type": "messages", "filter": null, "timerange": null, "query": null, "streams": [], "config": { "fields": [ "timestamp", "log_type", "src_ip_city_name", "src_ip_country_code", "src_ip", "dst_port", "protocol", "src_ip_geolocation" ], "show_message_row": false, "decorators": [ { "id": "5ecaf9adcb6890d9f8e385b8", "type": "org.graylog2.decorators.SyslogSeverityMapperDecorator", "config": { "source_field": "priority", "target_field": "severity" }, "stream": null, "order": 0 } ], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "7d526158-ccc5-449b-a48e-9169ba106710", "type": "aggregation", "filter": null, "timerange": null, "query": null, "streams": [], "config": { "visualization": "bar", "event_annotation": false, "row_pivots": [ { "field": "timestamp", "type": "time", "config": { "interval": { "type": "auto", "scaling": null } } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "7d526158-ccc5-449b-a48e-9169ba106710": [ "e754ccda-e8f5-4564-a234-e7f71a5fbcb2" ], "8748bcba-1813-4b0c-9ede-2af6eadca6b6": [ "61e6edac-a116-4c31-859b-d289f732d0de" ] }, "positions": { "7d526158-ccc5-449b-a48e-9169ba106710": { "col": 1, "row": 5, "height": 2, "width": "Infinity" }, "8748bcba-1813-4b0c-9ede-2af6eadca6b6": { "col": 1, "row": 7, "height": 6, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "admin", "title": { "@type": "string", "@value": "Sophos XG Firewall" }, "type": "SEARCH", "description": { "@type": "string", "@value": "" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline", "version": "1" }, "id": "c41fba55-fc8e-4ab7-9208-6f7d64094eef", "data": { "title": { "@type": "string", "@value": "Sophos XG" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "pipeline \"Sophos XG\"\nstage 0 match all\nrule \"priority name\"\nstage 1 match all\nrule \"GeoIP lookup: dst_ip\"\nrule \"GeoIP lookup: src_ip\"\nstage 2 match either\nrule \"XG Firewall Type\"\nrule \"XG Content Filter Type\"\nend" }, "connected_streams": [ { "@type": "string", "@value": "000000000000000000000001" } ] }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "input", "version": "1" }, "id": "fa3bdcd1-60ee-4aa0-9aa8-37e55b662867", "data": { "title": { "@type": "string", "@value": "Sophos XG" }, "configuration": { "expand_structured_data": { "@type": "boolean", "@value": true }, "recv_buffer_size": { "@type": "integer", "@value": 262144 }, "port": { "@type": "integer", "@value": 5001 }, "number_worker_threads": { "@type": "integer", "@value": 2 }, "force_rdns": { "@type": "boolean", "@value": false }, "allow_override_date": { "@type": "boolean", "@value": true }, "bind_address": { "@type": "string", "@value": "0.0.0.0" }, "store_full_message": { "@type": "boolean", "@value": true } }, "static_fields": {}, "type": { "@type": "string", "@value": "org.graylog2.inputs.syslog.udp.SyslogUDPInput" }, "global": { "@type": "boolean", "@value": true }, "extractors": [ { "target_field": { "@type": "string", "@value": "out_interface" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 13 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "out_interface=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "out_interface firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "category" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 18 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "category=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "category firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "application" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 19 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "application=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "application firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "method" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 22 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "method=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "method firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "profile" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 23 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "profile=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "profile firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "user_name" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 14 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "user_name=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "user_name firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "status_code" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 17 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "status_code=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "status_code firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "user_gp" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 15 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "user_gp=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "user_gp firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "device_name" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 2 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "device_name=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "device_name firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "message" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 0 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "message=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "message firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "src_ip" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 4 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "src_ip=([^=]* )" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "src_ip firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "dst_ip" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 7 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "dst_ip=([^=]* )" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "dst_ip firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "device_id" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 1 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "device_id=([^=]* )" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "device_id firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "priority" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 3 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "priority=([^=]* )" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "priority firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "src_mac" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 6 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "src_mac=([^=]* )" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "src_mac firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "dst_port" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 8 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "dst_port=([^=]* )" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "dst_port firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "src_port" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 5 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "src_port=([^=]* )" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "src_port firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "fw_rule_id" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 10 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "fw_rule_id=([^=]* )" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "fw_rule_id firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "protocol" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 11 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "protocol=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "protocol firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "in_interface" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 12 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "in_interface=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "in_interface firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "user_agent" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 16 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "user_agent=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "user_agent firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "exceptions" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 20 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "exceptions=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "exceptions firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } }, { "target_field": { "@type": "string", "@value": "log_type" }, "condition_value": { "@type": "string", "@value": "" }, "order": { "@type": "integer", "@value": 21 }, "converters": [], "configuration": { "regex_value": { "@type": "string", "@value": "log_type=\"([^\"]*)\"" } }, "source_field": { "@type": "string", "@value": "message" }, "title": { "@type": "string", "@value": "log_type firewall extractor" }, "type": { "@type": "string", "@value": "REGEX" }, "cursor_strategy": { "@type": "string", "@value": "COPY" }, "condition_type": { "@type": "string", "@value": "NONE" } } ] }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "ce776125-ea33-4eed-94c1-5a35db8db67d", "data": { "title": { "@type": "string", "@value": "priority name" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"priority name\"\nwhen\n true\nthen\n set_field(\"priority\",syslog_level($message.priority));\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "dashboard", "version": "2" }, "id": "2b312793-9803-4722-8f8e-c69f28ddac95", "data": { "summary": { "@type": "string", "@value": "Syslog from a Sophos XG Firewall to Graylog" }, "search": { "queries": [ { "id": "4eaeafa4-f6dc-4c74-aecf-2902fbf8251d", "timerange": { "type": "relative", "range": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "name": null, "timerange": { "type": "relative", "range": 300 }, "offset": 0, "streams": [ "d7e8152b-6063-4a17-ba4a-1db0c0e008a5" ], "filter": null, "decorators": [], "type": "messages", "id": "b0744d1f-d8f3-4435-998c-b6552aec89be", "limit": 150 } ] }, { "id": "20b49579-1f4d-4493-8554-8e6cabc9367b", "timerange": { "type": "relative", "range": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "name": "chart", "timerange": { "type": "relative", "range": 86400 }, "streams": [ "d7e8152b-6063-4a17-ba4a-1db0c0e008a5" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "src_ip_geolocation", "limit": 15 } ], "type": "pivot", "id": "68a21819-0303-4dd3-b0da-befdb1cf2e41", "column_groups": [], "sort": [] }, { "query": null, "name": "chart", "timerange": { "type": "relative", "range": 300 }, "streams": [], "series": [], "filter": null, "rollup": true, "row_groups": [], "type": "pivot", "id": "bd526117-c9f5-4594-b1d6-87cc0ae7ca6f", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "name": "chart", "timerange": { "type": "relative", "range": 3600 }, "streams": [ "d7e8152b-6063-4a17-ba4a-1db0c0e008a5" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "src_ip_country_code", "limit": 15 } ], "type": "pivot", "id": "4f95201d-5f57-4070-a787-619db2bddfd1", "column_groups": [ { "type": "values", "field": "src_ip_city_name", "limit": 15 } ], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "name": "chart", "timerange": { "type": "relative", "range": 86400 }, "streams": [ "d7e8152b-6063-4a17-ba4a-1db0c0e008a5" ], "series": [ { "type": "count", "id": "Message Count", "field": null } ], "filter": null, "rollup": true, "row_groups": [], "type": "pivot", "id": "5dd6113c-bc7f-4fac-ba8f-27fdc6537cf8", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "type": "relative", "range": 86400 }, "streams": [], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "category", "limit": 15 } ], "type": "pivot", "id": "88689e56-a865-4b82-98c1-5f5fad75cb8a", "column_groups": [], "sort": [] } ] } ], "parameters": [], "requires": {}, "owner": "admin", "created_at": "2020-06-01T22:52:33.967Z" }, "created_at": "2020-05-25T20:55:23.770Z", "requires": {}, "state": { "20b49579-1f4d-4493-8554-8e6cabc9367b": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Sophos XG" }, "widget": { "f01768a4-3a01-4237-b9fc-3e7cb0b2c1ff": "Sophos XG Messages", "79b78e03-cdf7-4d44-aa23-1988270bf1e7": "Sophos XG Category Chart", "8b50bd9e-c1aa-460b-bf90-8f363bebb1dd": "Sophos XG Heatmap (src_ip_country_code)", "8e609dc5-f302-4c7c-a52c-d690cdafeb37": "Sophos XG Message Count", "52ca40cb-873f-431d-bd4f-20182e233aaa": "Sophos XG Attack Map" } }, "widgets": [ { "id": "79b78e03-cdf7-4d44-aa23-1988270bf1e7", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "range": 86400 }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "category", "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "8b50bd9e-c1aa-460b-bf90-8f363bebb1dd", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "range": 3600 }, "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "streams": [ "d7e8152b-6063-4a17-ba4a-1db0c0e008a5" ], "config": { "visualization": "heatmap", "event_annotation": false, "row_pivots": [ { "field": "src_ip_country_code", "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [ { "field": "src_ip_city_name", "type": "values", "config": { "limit": 15 } } ], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "52ca40cb-873f-431d-bd4f-20182e233aaa", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "range": 86400 }, "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "streams": [ "d7e8152b-6063-4a17-ba4a-1db0c0e008a5" ], "config": { "visualization": "map", "event_annotation": false, "row_pivots": [ { "field": "src_ip_geolocation", "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": { "viewport": { "zoom": 2, "center_x": 0, "center_y": 0 } }, "formatting_settings": null, "sort": [] } }, { "id": "8cc820b9-877e-4709-a822-5352cbb3061f", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "range": 300 }, "query": null, "streams": [], "config": { "visualization": "table", "event_annotation": false, "row_pivots": [], "series": [], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "8e609dc5-f302-4c7c-a52c-d690cdafeb37", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "range": 86400 }, "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "streams": [ "d7e8152b-6063-4a17-ba4a-1db0c0e008a5" ], "config": { "visualization": "numeric", "event_annotation": false, "row_pivots": [], "series": [ { "config": { "name": "Message Count" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "8e609dc5-f302-4c7c-a52c-d690cdafeb37": [ "5dd6113c-bc7f-4fac-ba8f-27fdc6537cf8" ], "79b78e03-cdf7-4d44-aa23-1988270bf1e7": [ "88689e56-a865-4b82-98c1-5f5fad75cb8a" ], "8b50bd9e-c1aa-460b-bf90-8f363bebb1dd": [ "4f95201d-5f57-4070-a787-619db2bddfd1" ], "52ca40cb-873f-431d-bd4f-20182e233aaa": [ "68a21819-0303-4dd3-b0da-befdb1cf2e41" ], "8cc820b9-877e-4709-a822-5352cbb3061f": [ "bd526117-c9f5-4594-b1d6-87cc0ae7ca6f" ] }, "positions": { "8e609dc5-f302-4c7c-a52c-d690cdafeb37": { "col": 9, "row": 1, "height": 4, "width": 4 }, "79b78e03-cdf7-4d44-aa23-1988270bf1e7": { "col": 1, "row": 1, "height": 8, "width": 8 }, "8b50bd9e-c1aa-460b-bf90-8f363bebb1dd": { "col": 9, "row": 5, "height": 4, "width": 4 }, "52ca40cb-873f-431d-bd4f-20182e233aaa": { "col": 1, "row": 9, "height": 6, "width": 8 }, "8cc820b9-877e-4709-a822-5352cbb3061f": { "col": 9, "row": 10, "height": 4, "width": 4 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "4eaeafa4-f6dc-4c74-aecf-2902fbf8251d": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "XG Logs" }, "widget": { "092abeff-a80b-414e-9064-e01ff7745c18": "XG Message Table" } }, "widgets": [ { "id": "092abeff-a80b-414e-9064-e01ff7745c18", "type": "messages", "filter": null, "timerange": { "type": "relative", "range": 300 }, "query": { "type": "elasticsearch", "query_string": "!src_ip:10.71.1.* AND !src_ip:0.0.0.0" }, "streams": [ "d7e8152b-6063-4a17-ba4a-1db0c0e008a5" ], "config": { "fields": [ "timestamp", "source", "device_name", "log_type", "protocol", "src_ip", "dst_port", "src_ip_city_name", "src_ip_country_code" ], "show_message_row": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } } ], "widget_mapping": { "092abeff-a80b-414e-9064-e01ff7745c18": [ "b0744d1f-d8f3-4435-998c-b6552aec89be" ] }, "positions": { "092abeff-a80b-414e-9064-e01ff7745c18": { "col": 1, "row": 1, "height": 11, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "admin", "title": { "@type": "string", "@value": "Sophos XG Firewall" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "This is a basic dashboard for displaying log data sent via Syslog from a Sophos XG Firewall to a Graylog instance." } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "2697111b-fa9d-408a-a7d8-d6786e25eb6c", "data": { "title": { "@type": "string", "@value": "GeoIP lookup: dst_ip" }, "description": { "@type": "string", "@value": "Destination GeoIP Lookup" }, "source": { "@type": "string", "@value": "rule \"GeoIP lookup: dst_ip\"\n when\n has_field(\"dst_ip\")\n then\n let geo = lookup(\"geoip\", to_string($message.dst_ip));\n set_field(\"dst_ip_geo_location\", geo[\"coordinates\"]);\n set_field(\"dst_country_code\", geo[\"country\"].iso_code);\n set_field(\"dst_ip_geo_city\", geo[\"city\"].names.en);\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "07e40665-0157-4da8-b573-dd66d96dfddc", "data": { "title": { "@type": "string", "@value": "Pipeline Processed Flag" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"Pipeline Processed Flag\"\nwhen\n true\nthen\n set_field(\"pipeline_processed\",true);\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "91079ddc-d3ec-429f-9103-a128692e776c", "data": { "title": { "@type": "string", "@value": "XG Event Authentication Type" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"XG Event Authentication Type\"\nwhen\n (to_string($message.log_type) == \"Event\") && (to_string($message.log_sub_type) == \"Authentication\")\nthen\n set_fields(\n grok(\n pattern: \"status=%{QUOTEDSTRING:status}%{SPACE}priority=%{WORD:priority}%{SPACE}user_name=%{QUOTEDSTRING:user_name}%{SPACE}usergroupname=%{QUOTEDSTRING:user_group}%{SPACE}auth_client=%{QUOTEDSTRING:auth_client}%{SPACE}auth_mechanism=%{QUOTEDSTRING:auth_mechanism}%{SPACE}reason=%{QUOTEDSTRING:reason}%{SPACE}src_ip=%{DATA:src_ip}%{SPACE}message=%{QUOTEDSTRING:auth_message}%{SPACE}name=%{QUOTEDSTRING:name}%{SPACE}src_mac=%{DATA:src_mac}\",\n value: to_string($message.message),\n only_named_captures: true\n )\n );\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "9db20fc7-419d-4153-8e4b-dc3aa0e1fda2", "data": { "title": { "@type": "string", "@value": "XG System Type" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"XG System Type\"\nwhen\n to_string($message.log_sub_type) == \"System\"\nthen\n set_fields(\n grok(\n pattern: \"(status=%{QUOTEDSTRING:status})?%{SPACE}priority=%{WORD:priority}%{SPACE}(status=%{QUOTEDSTRING:status})?%{GREEDYDATA}message=%{QUOTEDSTRING:system_message}\",\n value: to_string($message.message),\n only_named_captures: true\n )\n );\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "4bf3fa06-3464-417b-88b8-c8cc19aac062", "data": { "title": { "@type": "string", "@value": "XG Content Filter Type" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"XG Content Filter Type\"\nwhen\n to_string($message.log_type) == \"Content Filtering\"\nthen\n set_fields(\n grok(\n pattern: \"status=%{QUOTEDSTRING:action}%{SPACE}priority=%{GREEDYDATA:priority}%{SPACE}fw_rule_id=%{INT:fw_rule_id}%{SPACE}user_name=%{QUOTEDSTRING:user_name}%{SPACE}user_gp=%{QUOTEDSTRING:user_group}%{SPACE}iap=%{INT:iap}%{SPACE}category=%{QUOTEDSTRING:category}%{SPACE}category_type=%{QUOTEDSTRING:category_type}%{SPACE}url=%{QUOTEDSTRING:url}%{SPACE}contenttype=%{QUOTEDSTRING:content_type}%{SPACE}override_token=%{QUOTEDSTRING:override_token}%{SPACE}httpresponsecode=%{QUOTEDSTRING:http_response_code}%{SPACE}src_ip=%{IP:src_ip}%{SPACE}dst_ip=%{IP:dst_ip}%{SPACE}protocol=%{QUOTEDSTRING:protocol}%{SPACE}src_port=%{INT:src_port}%{SPACE}dst_port=%{INT:dst_port}%{SPACE}sent_bytes=%{INT:sent_bytes;int}%{SPACE}recv_bytes=%{INT:recv_bytes;int}%{SPACE}domain=%{URIHOST:domain}%{SPACE}exceptions=%{DATA:exceptions}%{SPACE}activityname=%{QUOTEDSTRING:activity_name}%{SPACE}reason=%{QUOTEDSTRING:reason}%{SPACE}user_agent=%{QUOTEDSTRING:user_agent}%{SPACE}status_code=%{QUOTEDSTRING:status_code}%{SPACE}transactionid=%{DATA:transaction_id}%{SPACE}referer=%{QUOTEDSTRING:referer}%{SPACE}download_file_name=%{QUOTEDSTRING:downloaded_file_name}%{SPACE}download_file_type=%{QUOTEDSTRING:downloaded_file_type}%{SPACE}upload_file_name=%{QUOTEDSTRING}%{SPACE}upload_file_type=%{QUOTEDSTRING}%{SPACE}con_id=%{INT:con_id}%{SPACE}application=%{QUOTEDSTRING:application}%{SPACE}app_is_cloud=%{INT:app_is_cloud;boolean}\",\n value: to_string($message.message),\n only_named_captures: true\n )\n );\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "stream", "version": "1" }, "id": "d7e8152b-6063-4a17-ba4a-1db0c0e008a5", "data": { "alarm_callbacks": [], "outputs": [], "remove_matches": { "@type": "boolean", "@value": true }, "title": { "@type": "string", "@value": "Sophos XG Firewall" }, "stream_rules": [ { "type": { "@type": "string", "@value": "PRESENCE" }, "field": { "@type": "string", "@value": "src_ip" }, "value": { "@type": "string", "@value": "" }, "inverted": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "src_ip fields must be present" } }, { "type": { "@type": "string", "@value": "EXACT" }, "field": { "@type": "string", "@value": "log_type" }, "value": { "@type": "string", "@value": "Firewall" }, "inverted": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "" } } ], "alert_conditions": [], "matching_type": { "@type": "string", "@value": "AND" }, "disabled": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "Log Type Firewall" }, "default_stream": { "@type": "boolean", "@value": false } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "a4bf0407-b11f-48f1-ba8e-51a153c0f89a", "data": { "title": { "@type": "string", "@value": "XG Firewall Type" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"XG Firewall Type\"\nwhen\n to_string($message.log_type) == \"Firewall\"\nthen\n set_fields(\n grok(\n pattern: \"status=%{QUOTEDSTRING:action}%{SPACE}priority=%{WORD:priority}%{SPACE}duration=%{INT:duration}%{SPACE}fw_rule_id=%{INT:fw_rule_id}%{SPACE}policy_type=%{INT:policy_type}%{SPACE}user_name=%{QUOTEDSTRING:user_name}%{SPACE}user_gp=%{QUOTEDSTRING:user_group}%{SPACE}iap=%{INT:iap}%{SPACE}ips_policy_id=%{INT:ips_policy_id}%{SPACE}appfilter_policy_id=%{INT:app_filter_policy_id}%{SPACE}application=%{QUOTEDSTRING:application}%{SPACE}application_risk=%{INT:application_risk}%{SPACE}application_technology=%{QUOTEDSTRING:application_technology}%{SPACE}application_category=%{QUOTEDSTRING:application_category}%{SPACE}in_interface=%{QUOTEDSTRING:in_interface}%{SPACE}out_interface=%{QUOTEDSTRING:out_interface}%{SPACE}src_mac=%{DATA:src_mac}%{SPACE}src_ip=%{DATA:src_ip}%{SPACE}src_country_code=%{DATA:src_country_code}%{SPACE}dst_ip=%{DATA:dst_ip}%{SPACE}dst_country_code=%{DATA:dst_country_code}%{SPACE}protocol=%{QUOTEDSTRING:protocol}%{SPACE}(src_port=%{INT:src_port}%{SPACE}dst_port=%{INT:dst_port})?(icmp_type=%{INT:icmp_type}%{SPACE}icmp_code=%{INT:icmp_code})?%{SPACE}sent_pkts=%{INT:sent_pkts;int}%{SPACE}recv_pkts=%{INT:recv_pkts;int}%{SPACE}sent_bytes=%{INT:sent_bytes;int}%{SPACE}recv_bytes=%{INT:recv_bytes;int}%{SPACE}tran_src_ip=%{DATA:tran_src_ip}%{SPACE}tran_src_port=%{INT:tran_src_port}%{SPACE}tran_dst_ip=%{DATA:tran_dst_ip}%{SPACE}tran_dst_port=%{INT:tran_dst_port}%{SPACE}srczonetype=%{QUOTEDSTRING:src_zone_type}%{SPACE}srczone=%{QUOTEDSTRING:src_zone}%{SPACE}dstzonetype=%{QUOTEDSTRING:dst_zone_type}%{SPACE}dstzone=%{QUOTEDSTRING:dst_zone}%{SPACE}dir_disp=%{QUOTEDSTRING:dir_disp}%{SPACE}(connevent=%{QUOTEDSTRING:conn_event})?%{SPACE}connid=%{QUOTEDSTRING:conn_id}%{SPACE}vconnid=%{QUOTEDSTRING:v_conn_id}%{SPACE}hb_health=%{QUOTEDSTRING:hb_health}%{SPACE}message=%{QUOTEDSTRING:fw_message}%{SPACE}appresolvedby=%{QUOTEDSTRING:app_resolved_by}%{SPACE}app_is_cloud=%{INT:app_is_cloud;boolean}\",\n value: to_string($message.message),\n only_named_captures: true\n )\n );\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "36e234ae-ea9f-4b7d-82e6-1975882947e0", "data": { "title": { "@type": "string", "@value": "XG GUI Event Type" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"XG GUI Event Type\"\nwhen\n to_string($message.log_type) == \"Event\" && to_string($message.log_component) == \"GUI\"\nthen\n set_fields(\n grok(\n pattern: \"status=%{DATA:QUOTEDSTRING}%{SPACE}priority=%{WORD:priority}%{SPACE}user_name=%{QUOTEDSTRING:user_name}%{SPACE}src_ip=%{DATA:src_ip}%{SPACE}ZONE=%{QUOTEDSTRING:zone}%{SPACE}message=%{QUOTEDSTRING:event_message}\",\n value: to_string($message.message),\n only_named_captures: true\n )\n );\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "1639dac0-7d02-4180-9bac-89881d9f621c", "data": { "title": { "@type": "string", "@value": "XG IDP Type" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"XG IDP Type\"\nwhen\n to_string($message.log_type) == \"IDP\"\nthen\n set_fields(\n grok(\n pattern: \"priority=%{WORD:priority}%{SPACE}idp_policy_id=%{INT:idp_policy_id}%{SPACE}fw_rule_id=%{INT:fw_rule_id}%{SPACE}user_name=%{QUOTEDSTRING:user_name}%{SPACE}signature_id=%{INT:signature_id}%{SPACE}signature_msg=%{QUOTEDSTRING:signature_msg}%{SPACE}classification=%{QUOTEDSTRING:classification}%{SPACE}rule_priority=%{INT:rule_priority}%{SPACE}src_ip=%{DATA:src_ip}%{SPACE}src_country_code=%{DATA:src_country_code}%{SPACE}dst_ip=%{DATA:dst_ip}%{SPACE}dst_country_code=%{DATA:dst_country_code}%{SPACE}protocol=%{QUOTEDSTRING:protocol}%{SPACE}src_port=%{INT:src_port}%{SPACE}dst_port=%{INT:dst_port}%{SPACE}platform=%{QUOTEDSTRING:platform}%{SPACE}category=%{QUOTEDSTRING:category}%{SPACE}target=%{QUOTEDSTRING:target}\",\n value: to_string($message.message),\n only_named_captures: true\n )\n );\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] }, { "v": "1", "type": { "name": "pipeline_rule", "version": "1" }, "id": "f8b3642c-799d-468d-a3da-a52d5064ed8c", "data": { "title": { "@type": "string", "@value": "XG SMTP Type" }, "description": { "@type": "string", "@value": "" }, "source": { "@type": "string", "@value": "rule \"XG SMTP Type\"\nwhen\n to_string($message.log_component) == \"SMTP\"\nthen\n set_fields(\n grok(\n pattern: \"priority=%{WORD:priority}%{SPACE}fw_rule_id=%{INT:fw_rule_id}%{SPACE}user_name=%{QUOTEDSTRING:user_name}%{GREEDYDATA}from_email_address=%{QUOTEDSTRING:from_email_address}%{SPACE}to_email_address=%{QUOTEDSTRING:to_email_address}%{SPACE}email_subject=%{QUOTEDSTRING:email_subject}%{GREEDYDATA}src_domainname=%{QUOTEDSTRING:src_domain}\",\n value: to_string($message.message),\n only_named_captures: true\n )\n );\nend" } }, "constraints": [ { "type": "server-version", "version": ">=3.3.0+4ea5649" } ] } ] }