Appgate Software-defined Perimeter¶
About¶
Appgate SDP is architected to protect private access across a complex hybrid IT environment including on-premises, in data centers, in one or more clouds (multi-cloud) or a combination of all three (i.e., a hybrid architecture) with a unified policy engine.
Product Details¶
Vendor URL: Appgate
Product Type: Software defined perimeter
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: APPGATE_SDP
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
log.collective_id | metadata.product_deployment_id |
log.event_type | metadata.product_event_type |
log.id | metadata.product_log_id |
ADP | metadata.product_name |
log.timestamp | metadata.timestamp |
Appgate | metadata.vendor |
log.direction | network.direction |
log.protocol | network.ip_protocol |
hostname | observer.ip |
log.session_id | principal_hostname |
log.device_claims.os.type | principal.asset.category |
log.device_claims.os.family | principal.asset.platform_software.platform |
log.device_claims.os.version | principal.asset.platform_software.platform_patch_level |
log.device_claims.os.name | principal.asset.platform_software.platform_version |
daemon | principal.asset.software.name |
log.device_claims.clientType | principal.asset.software.name |
version | principal.asset.software.version |
log.device_claims.clientVersion | principal.asset.software.version |
WORKSTATION,LAPTOP | principal.asset.type |
log.client_ip | principal.ip |
log.device_claims.clientIPs | principal.ip |
log.geoip.city_name | principal.location.city |
log.geoip.country_name | principal.location.country_or_region |
log.geoip.latitude | principal.location.region_latitude |
log.geoip.longitude | principal.location.region_longitude |
log.geoip.region_name | principal.location.state |
log.device_claims.macAddresses | principal.mac |
log.client_port | principal.port |
log.distinguished_name_ou | principal.user.group_identifiers |
log.distinguished_name_user | principal.user.userid |
log.action | security_result.action_details |
log.action_id | security_result.rule_id |
log.rule_name | security_result.rule_name |
log.drop-reason | security_result.summary |
log.source_ip | src.ip |
log.destination_ip | target.ip |
log.destination_port | target.port |
Product Event Types¶
Event | UDM Event Classification |
---|---|
Default | GENERIC_EVENT |
ip_access | NETWORK_CONNECTION |
Log Sample¶
{"version":2,"timestamp":"2023-01-09T15:34:35.987Z","hostname":"observername.companyname.com","daemon":"cz-vpnd","log":{"action":"allow","action_id":"Network Down#a6sd5f46s1","client_ip":"10.10.10.52","client_port":65195,"collective_id":"asj5asd4df8541","collective_name":"654e9981","connection_type":"established","destination_ip":"10.10.10.73","destination_port":65509,"direction":"down","distinguished_name":"CN=as6d5f40190840hjk,CN=Jane.Doe@companyname.com,OU=Okta - User","distinguished_name_device_id":"as6d5f40190840hjk","distinguished_name_ou":"Okta - User","distinguished_name_user":"Jane.Doe@companyname.com","entitlement_token_id":"gh56j40g65h4j0g654","event_type":"ip_access","geoip":{"city_name":"Sanford","continent_code":"NA","cordinates":[-75.1362,33.4502],"country_code2":"US","country_code3":"US","country_name":"United States","dma_code":560,"ip":"10.10.10.52","latitude":33.4502,"location":{"lat":33.4502,"lon":-75.1362},"longitude":-75.1362,"postal_code":"27332","region_code":"NC","region_name":"North Carolina","time_zone":"America/New_York"},"id":"as5df4sd98756sa","packet_size":52,"protocol":"TCP","rule_name":"Network Down","source_ip":"10.10.10.16","source_port":88,"timestamp":"2023-01-09T15:34:35.987Z","version":16}}
Sample Parsing¶
metadata.product_log_id = "as5df4sd98756sa"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Appgate"
metadata.product_name = "SDP"
metadata.product_event_type = "ip_access"
metadata.product_deployment_id = "asj5asd4df8541"
metadata.id = "f5gh4n065840f1"
principal.user.userid = "Jane.Doe"
principal.user.group_identifiers = "Okta - User"
principal.ip = "10.10.10.52"
principal.port = 65195
principal.administrative_domain = "companyname.com"
principal.location.city = "Sanford"
principal.location.state = "North Carolina"
principal.location.country_or_region = "United States"
principal.location.region_latitude = 33.4502
principal.location.region_longitude = -75.1362
principal.asset.ip = "10.10.10.52"
principal.asset.software.name = "cz-vpnd"
principal.asset.software.version = "2"
src.ip = "10.10.10.16"
src.asset.ip = "10.10.10.16"
target.ip = "10.10.10.73"
target.port = 65509
target.asset.ip = "10.10.10.73"
observer.hostname = "observername"
observer.domain.name = "companyname.com"
security_result.rule_name = "Network Down"
security_result.action = "ALLOW"
security_result.rule_id = "Network Down#a6sd5f46s1"
security_result.action_details = "allow"
network.ip_protocol = "TCP"
network.direction = "OUTBOUND"
Parser Alerting¶
No parser based alerting