Skip to content

Additional Knowledge Objects #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dfederschmidt wants to merge 1 commit into
base: master
Choose a base branch
from
+50 −0
Open

Additional Knowledge Objects #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions forcepoint-solutions/local/eventtypes.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[forcepoint_ngfw_network_traffic]
search = sourcetype=next-generation-firewall (SITUATION="Connection_Refused" OR SITUATION="Connection_Closed" OR SITUATION="Connection_Allowed" OR SITUATION="Connection_Discarded" OR SITUATION="Connection_Closed-Abnormally" OR SITUATION="Connection_Progress")

[forcepoint_ngfw_network_vpn]
search = sourcetype=next-generation-firewall PEERSECURITYGATEWAY="VPN Client"
37 changes: 37 additions & 0 deletions forcepoint-solutions/local/props.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,43 @@ TIME_PREFIX=<TIMESTAMP>
category=Custom
description=Forcepoint Next Generation Firewall Logs

EVAL-action = case(ACTION=="Refuse","blocked",(ACTION=="Terminate" OR ACTION=="Discard"),"dropped",(ACTION=="Permit" OR ACTION=="Allow"), "allowed", true(), ACTION)

FIELDALIAS-bytesin = ACCRXBYTES as bytes_in
FIELDALIAS-bytesout = ACCTXBYTES as bytes_out
EVAL-bytes = ACCRXBYTES + ACCTXBYTES

FIELDALIAS-packetsin = ACCRXPACKETS as packets_in
FIELDALIAS-bytesout = ACCTXPACKETS as packets_out
EVAL-packets = ACCRXPACKETS + ACCTXPACKETS

FIELDALIAS-dest = DST as dest
FIELDALIAS-dest_ip = DST as dest_ip
FIELDALIAS-dest_port = DPORT as dest_port
FIELDALIAS-dest_translated_ip = NATDST as dest_translated_ip
FIELDALIAS-dest_translated_port = NATDPORT as dest_translated_port

FIELDALIAS-src = SRC as src
FIELDALIAS-srcip = SRC as src_ip
FIELDALIAS-src_translated_ip = NATSRC as src_translated_ip
FIELDALIAS-src_translated_port = NATSPORT as src_translated_port

FIELDALIAS-dvc = NODEID as dvc
FIELDALIAS-dvc_ip = NODEID as dvc_ip

FIELDALIAS-icmp_type= ICMPTYPE as icmp_type

FIELDALIAS-rule = RULEID as rule
FIELDALIAS-user = USERNAME as user

EVAL-vendor = "Forcepoint"
EVAL-product = "Forcepoint NGFW"
FIELDALIAS-app = SERVICE as app
EVAL-transport = case(match(app, "(TCP|HTTP)"), "tcp", match(app, "UDP"), "udp", match(PROTOCOL, "1"), "icmp", true(), "unknown")
EVAL-protocol = "ip"
FIELDALIAS-protocol_version = IPVERSION as protocol_version


[cloud-security-gateway]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
Expand Down
8 changes: 8 additions & 0 deletions forcepoint-solutions/local/tags.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[eventtype=forcepoint_ngfw_network_traffic]
network = enabled
communicate = enabled

[eventtype=forcepoint_ngfw_network_vpn]
network = enabled
session = enabled
vpn = enabled