broadcom/proxysg

VendorBroadcom Inc.
AuthorCrowdStrike
Version1.1.0
Minimum LogScale Version1.142.0

This package provides a parser for Broadcom ProxySG events in JSON format. The resulting Proxy data can be used together with data on users and endpoints to indicate the presence of threat actors in the system and insider threats.

Breaking Changes

This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.

Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.

See CrowdStrike Parsing Standard (CPS) 1.0 for more details on the new parser schema.

Follow the CPS Migration to update your queries to use the fields and tags that are available in data parsed with version 1.0.0.

Installing the Broadcom ProxySG Package in LogScale

Find the repository where you want to send the Broadcom ProxySG logs, or create a new one.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package (i.e. broadcom/proxysg).

  3. When the package has finished installing, click Ingest tokens on the left still under Settings.

  4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g. the name of the server the token is ingesting logs for), and leave the parser unassigned.

    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

    Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

Getting Broadcom ProxySG Data into LogScale

The following steps must be performed to get ingest data using LogScale.

  • Add the following snippet to your LogScale Collector configuration, see Configure Falcon Log Collector for more information on the LogScale Collector.

    yaml
    infoblox_nios:
      type: syslog
      mode: udp
      port: 1514
      sink: logscale
      parser: "broadcom/proxysg::broadcom-proxysg"
  • Configure Broadcom ProxySG to send logs to a Syslog Server. Note that you must not use the port 514.

Verify Data is Arriving in LogScale

Once you have completed the above steps the Broadcom ProxySG data should be arriving in your LogScale repository.

You can verify this by doing a simple search for #Vendor = "broadcom" | #event.module = "proxysg" to see the Broadcom ProxySG events.

Output

The Broadcom ProxySG output must be formatted as follows:

<111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc)Z $(s-computername) ProxySG - logscale_format - cIp=$(c-ip) rsContentType=$(quot)$(rs(Content-Type))$(quot) csAuthGroups=$(cs-auth-groups) csBytes=$(cs-bytes) csCategories=$(cs-categories) csHost=$(cs-host) csIp=$(cs-ip) csMethod=$(cs-method) csUriPort=$(cs-uri-port) csUriScheme=$(cs-uri-scheme) csUserAgent=$(quot)$(cs(User-Agent))$(quot) csUsername=$(cs-username) dnslookupTime=$(dnslookup-time) duration=$(duration) rsStatus=$(rs-status) rsVersion=$(rs-version) sAction=$(s-action) sIp=$(s-ip) serviceName=$(service.name) serviceGroup=$(service.group) sSupplierIp=$(s-supplier-ip) sSupplierName=$(s-supplier-name) scBytes=$(sc-bytes) scFilterResult=$(sc-filter-result) scStatus=$(sc-status) timeTaken=$(time-taken) xExceptionId=$(x-exception-id) xVirusId=$(x-virus-id) cUrl=$(quot)$(url)$(quot) csReferer=$(quot)$(cs(Referer))$(quot) cCpu=$(c-cpu) connectTime=$(connect-time) csAuthGroups=$(cs-auth-groups) csHeaderlength=$(cs-headerlength) csThreatRisk=$(cs-threat-risk) rIp=$(r-ip) rSupplierIp=$(r-supplier-ip) rsTimeTaken=$(rs-time-taken) rsServer=$(rs(server)) sConnectType=$(s-connect-type) sIcapStatus=$(s-icap-status) sSitename=$(s-sitename) sSourcePort=$(s-source-port) sSupplierCountry=$(s-supplier-country) scContentEncoding=$(sc(Content-Encoding)) srAcceptEncoding=$(sr(Accept-Encoding)) xAuthCredentialType=$(x-auth-credential-type) xCookieDate=$(x-cookie-date) xCsCertificateSubject=$(x-cs-certificate-subject) xCsConnectionNegotiatedCipher=$(x-cs-connection-negotiated-cipher) xCsConnectionNegotiatedCipherSize=$(x-cs-connection-negotiated-cipher-size) xCsConnectionNegotiatedSslVersion=$(x-cs-connection-negotiated-ssl-version) xCsOcspError=$(x-cs-ocsp-error) xCsRefererUri=$(x-cs(Referer)-uri) xCsRefererUriAddress=$(x-cs(Referer)-uri-address) xCsRefererUriExtension=$(x-cs(Referer)-uri-extension) xCsRefererUriHost=$(x-cs(Referer)-uri-host) xCsRefererUriHostname=$(x-cs(Referer)-uri-hostname) xCsRefererUriPath=$(x-cs(Referer)-uri-path) xCsRefererUriPathquery=$(x-cs(Referer)-uri-pathquery) xCsRefererUriPort=$(x-cs(Referer)-uri-port) xCsRefererUriQuery=$(x-cs(Referer)-uri-query) xCsRefererUriScheme=$(x-cs(Referer)-uri-scheme) xCsRefererUriStem=$(x-cs(Referer)-uri-stem) xExceptionCategory=$(x-exception-category) xExceptionCategoryReviewMessage=$(x-exception-category-review-message) xExceptionCompanyName=$(x-exception-company-name) xExceptionContact=$(x-exception-contact) xExceptionDetails=$(x-exception-details) xExceptionHeader=$(x-exception-header) xExceptionHelp=$(x-exception-help) xExceptionLastError=$(x-exception-last-error) xExceptionReason=$(x-exception-reason) xExceptionSourcefile=$(x-exception-sourcefile) xExceptionSourceline=$(x-exception-sourceline) xExceptionSummary=$(x-exception-summary) xIcapErrorCode=$(x-icap-error-code) xRsCertificateHostname=$(x-rs-certificate-hostname) xRsCertificateHostnameCategory=$(x-rs-certificate-hostname-category) xRsCertificateObservedErrors=$(x-rs-certificate-observed-errors) xRsCertificateSubject=$(x-rs-certificate-subject) xRsCertificateValidateStatus=$(x-rs-certificate-validate-status) xRsConnectionNegotiatedCipher=$(x-rs-connection-negotiated-cipher) xRsConnectionNegotiatedCipherSize=$(x-rs-connection-negotiated-cipher-size) xRsConnectionNegotiatedSslVersion=$(x-rs-connection-negotiated-ssl-version) xRsOcspError=$(x-rs-ocsp-error) csUriExtension=$(cs-uri-extension) csUriPath=$(cs-uri-path) csUriQuery=$(quot)$(cs-uri-query)$(quot) cUriPathquery=$(c-uri-pathquery)