Meraki-FW
FW-FW-Security-Event
FW-FW-Security-Log
<PRIORITY>VERSION TIME GATEWAYIP - - - TIMESTAMP_FW APPLIANCENAME TYPE IDS_EVENT SIGNATURE PRIORITY TIMESTAMP_EPOCH HOST_MAC_SRC DIRECTION PROTOCOL HOST_IP_SRC PORT_SRC HOST_IP_DST PORT_DST MESSAGE
FW-FW-Security-Event
true
<134>1 2017-05-19T10:16:24.721156+02:00 192.168.10.1 - - - 1495181784.703443386 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495181783.871463 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:50165 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query
filter {
grok {
match => { 'message' => '<%{POSINT:priority}>%{POSINT:version} %{TIMESTAMP_ISO8601:time} %{IPORHOST:host} %{DATA:pid} %{DATA:errMsg} %{DATA:OID} %{DATA:timestamp_fw} %{DATA:appliancename} %{DATA:type} %{DATA:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} timestamp=%{DATA:timestamp} shost=%{COMMONMAC:shost} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{DATA:src} dst=%{DATA:dst} %{GREEDYDATA:message}'}
add_tag => [ "Meraki-FW-Event" ]
}
if("Meraki-FW-Event" in [tags]){
mutate {
remove_field => ['@version','host','path','@message']
add_field => [ 'Event:Event-Name', '%{IDS_Event}' ]
add_field => [ 'Event:Timestamp', '%{TIMESTAMP_ISO8601:time}' ]
add_field => [ 'Event:Pattern-Name', 'Meraki-FW-Event' ]
add_field => [ 'Event:Source-IP-Address', '%{src}' ]
add_field => [ 'Event:Destination-IP-Address', '%{dst}' ]
add_field => [ 'Event:Protocol', '%{protocol}' ]
add_field => [ 'Event:Direction', '%{direction}' ]
add_field => [ 'Event:MAC-Address', '%{shost}' ]
add_field => [ 'Event:Timestamp-Epoch', '%{timestamp}' ]
add_field => [ 'Event:Priority', '%{priority}' ]
add_field => [ 'Event:Signature', '%{signature}' ]
add_field => [ 'Event:Appliance-Name', '%{appliancename}' ]
add_field => [ 'Event:Timestamp-FW', '%{timestamp_fw}' ]
add_field => [ 'Event:Message', '%{message}' ]
}
ruby {
code => "
data = event.clone.to_hash;
data.each do |k,v|
if (!k.start_with?('Event:') and !k.start_with?('@'))
newFieldName = 'Event:Meraki-FW-Event:'+ k
event[newFieldName] = v
event.remove(k)
end
end
tstamp = Time.now.to_i
tstamp_str = Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S')
event['Event:Timestamp'] = tstamp_str
"
}
}
}