About resuna

You are correct in that everything starting with and after the string CEF is the Arcsight CEF format.  The portion prior to that is a syslog header.   If you use the current stable filebeat it includes native CEF parsing to ECS.     I have to say I was quite surprised at PAN's selection of CEF for the syslog messages but JSON for the email alerts.   It also surprised me that their were far fewer fields provided in the CEF messages than the JSON emails (albeit a ton of fields are null), ... View more

 Here is an example nxlog excerpt to convert cef to json.   <Input xdr_cef> Module im_file File "/var/log/xdr*log*" Exclude "/var/log/xdr*bz2" Exec parse_syslog(); parse_cef($Message); </Input>   <Output xdr_json> Module om_file File '/var/log/xdr' + strftime($EventTime, '%Y-%m-%d') + '.json' Exec to_json(); </Output> <Route main> Path xdr_cef => xdr_json </Route> ... View more

It's formatted using CEF.  Logstash has a CEF codec plugin but it mostly just rewrites the keys or field names.  Any items withe the string "Label" in the key are in fact providing the key name for the related non-label key=value So: cs6Label=Pants cs6=True   Can actually be consolidated to Pants: True   I recommend checking out nxlog as it has a very straight forward CEF->JSON conversion that would allow you to feed in json to logstash and hit the ground running.     Then you could construct a bunch of mutate filters like below to consolidate those fields.....   # Match labels to values and remove other fields if([deviceCustomString1] and [deviceCustomString1Label]) { mutate { add_field => [ "%{deviceCustomString1Label}","%{deviceCustomString1}"] remove_field => ["deviceCustomString1Label"] remove_field => ["deviceCustomString1"] } } if([deviceCustomString2] and [deviceCustomString2Label]) { mutate { add_field => [ "%{deviceCustomString2Label}","%{deviceCustomString2}"] remove_field => ["deviceCustomString2Label"] remove_field => ["deviceCustomString2"] } } if([deviceCustomString3] and [deviceCustomString3Label]) { mutate { add_field => [ "%{deviceCustomString3Label}","%{deviceCustomString3}"] remove_field => ["deviceCustomString3Label"] remove_field => ["deviceCustomString3"] } } if([deviceCustomString4] and [deviceCustomString4Label]) { mutate { add_field => [ "%{deviceCustomString4Label}","%{deviceCustomString4}"] remove_field => ["deviceCustomString4Label"] remove_field => ["deviceCustomString4"] } } if([deviceCustomString5] and [deviceCustomString5Label]) { mutate { add_field => [ "%{deviceCustomString5Label}","%{deviceCustomString5}"] remove_field => ["deviceCustomString5Label"] remove_field => ["deviceCustomString5"] } } if([deviceCustomString6] and [deviceCustomString6Label]) { mutate { add_field => [ "%{deviceCustomString6Label}","%{deviceCustomString6}"] remove_field => ["deviceCustomString6Label"] remove_field => ["deviceCustomString6"] } } if([deviceCustomNumber1Label] and [deviceCustomNumber1]) { mutate { add_field => [ "%{deviceCustomNumber1Label}","%{deviceCustomNumber1}"] remove_field => ["deviceCustomNumber1Label"] remove_field => ["deviceCustomNumber1"] } } if([deviceCustomNumber2Label] and [deviceCustomNumber2]) { mutate { add_field => [ "%{deviceCustomNumber2Label}","%{deviceCustomNumber2}"] remove_field => ["deviceCustomNumber2Label"] remove_field => ["deviceCustomNumber2"] } } if([deviceCustomNumber3Label] and [deviceCustomNumber3]) { mutate { add_field => [ "%{deviceCustomNumber3Label}","%{deviceCustomNumber3}"] remove_field => ["deviceCustomNumber3Label"] remove_field => ["deviceCustomNumber3"] } } if([deviceCustomNumber4Label] and [deviceCustomNumber4]) { mutate { add_field => [ "%{deviceCustomNumber4Label}","%{deviceCustomNumber4}"] remove_field => ["deviceCustomNumber4Label"] remove_field => ["deviceCustomNumber4"] } } if([deviceCustomNumber5Label] and [deviceCustomNumber5]) { mutate { add_field => [ "%{deviceCustomNumber5Label}","%{deviceCustomNumber5}"] remove_field => ["deviceCustomNumber5Label"] remove_field => ["deviceCustomNumber5"] } } if([deviceCustomNumber6Label] and [deviceCustomNumber6]) { mutate { add_field => [ "%{deviceCustomNumber6Label}","%{deviceCustomNumber6}"] remove_field => ["deviceCustomNumber6Label"] remove_field => ["deviceCustomNumber6"] } } if([flexNumber1Label] and [flexNumber1]) { mutate { add_field => [ "%{flexNumber1Label}","%{flexNumber1}"] remove_field => ["flexNumber1Label"] remove_field => ["flexNumber1"] } } if([flexNumber2Label] and [flexNumber2]) { mutate { add_field => [ "%{flexNumber2Label}","%{flexNumber2}"] remove_field => ["flexNumber2Label"] remove_field => ["flexNumber2"] } } if([flexNumber3Label] and [flexNumber3]) { mutate { add_field => [ "%{flexNumber3Label}","%{flexNumber3}"] remove_field => ["flexNumber3Label"] remove_field => ["flexNumber3"] } } if([flexNumber4Label] and [flexNumber4]) { mutate { add_field => [ "%{flexNumber4Label}","%{flexNumber4}"] remove_field => ["flexNumber4Label"] remove_field => ["flexNumber4"] } } if([flexNumber5Label] and [flexNumber5]) { mutate { add_field => [ "%{flexNumber5Label}","%{flexNumber5}"] remove_field => ["flexNumber5Label"] remove_field => ["flexNumber5"] } } ... View more

I am experiencing the same symptoms using a cert with a subdomain as the CN and a wildcard in the SAN field.  I am not using mind meld for this feed.    I uploaded the intermediate ca to the firewall as well and enabled it in the cert profile and verified the issuing CA of the intermediate is already on the (8.1) firmware.   As best I can tell it seems to be only comparing the CN field and not checking the target fqdn against the SAN field. ... View more

I am testing using an internal IP that runs netsink. Netsink basically emulates DNS,HTTP, HTTPS,SMTP,SMTPS,FTP and has functionality to redirect any tcp connection to a listener which then determines which of the above protocols the request is for and emulates it.    The reason we do this is to allow for more detailed analysis of the client and the malware.  Having the headers from an HTTP/S request (yes netsink will strip the SSL as it servers its own cert) or the SMTP headers improves your situational awareness around these incidents.   So far so good. ... View more

I am testing using an internal IP that runs netsink. Netsink basically emulates DNS,HTTP, HTTPS,SMTP,SMTPS,FTP and has functionality to redirect any tcp connection to a listener which then determines which of the above protocols the request is for and emulates it.    The reason we do this is to allow for more detailed analysis of the client and the malware.  Having the headers from an HTTP/S request (yes netsink will strip the SSL as it servers its own cert) or the SMTP headers improves your situational awareness around these incidents.   So far so good. ... View more