Axis Atmos Packet Broker¶
About¶
Short for “Atmosphere,” Atmos is the first SSE platform to elegantly integrate ZTNA, SWG, CASB and Digital Experience into a single, easy to use, interface.
Product Details¶
Vendor URL: Axis
Product Type: SSE
Product Tier: Tier II
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: CEF
Expected Normalization Rate: near 100%
Data Label: AXIS_ATMOS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| cef_description | metadata.description |
| "Atmos" | metadata.product_name |
| "Axis" | metadata.vendor_name |
| cef_version | metadata.product_version |
| cef_product | metadata.product_event_type |
| cef_event_id | metadata.product_log_id |
| observer | observer.ip |
| suser | principal.user.userid |
| src | principal.ip |
| cs1 | principal.application |
| cs4 | principal.asset.location.country_or_region |
| cs6 | principal.platform |
| dhost | target.ip |
| port | target.port |
| msg | security_result.description |
| app | security_result.detection_fields |
| cs5 | security_result.detection_fields |
Product Event Types¶
| type | UDM Event Classification | |
|---|---|---|
| All | GENERIC_EVENT |
Log Sample¶
April 08 17:55:13 10.0.0.0:1 CEF:0|Axis Security|ActivityLog|v1.0.0|event_id|Agent Internal Destinations D10|4|app=Native dhost=10.0.0.0:1 src=10.117.239.143 suser=suser_name cs1Label=ApplicationId cs1=app_id_number cs2Label=ApplicationName cs2=Agent Internal Destinations D10 cs3Label=ConnectorPublicIP cs4Label=GeoLocation cs4=US cs5Label=IsDiscoverySession cs5=false cs6Label=OperationSystem cs6=Windows
Sample Parsing¶
metadata.event_type = GENERIC_EVENT
metadata.vendor_name = "Axis"
metadata.product_name = "Atmos"
metadata.product_version = "v1.0.0"
metadata.product_event_type = "ActivityLog"
metadata.description = "Agent Internal Destinations D10"
observer.ip = "10.0.0.0"
principal.user.userid = "suser_name"
principal.asset.location.country_or_region = "US"
principal.ip = 10.117.239.143
principal.application = "app_id_number"
principal.platform = WINDOWS
target.ip = 10.0.0.0
target.port = 1
observer.ip = 10.0.0.0
security_result.detection_fields.key = "app"
security_result.detection_fields.value = "Native"
security_result.detection_fields.key = "isDiscoverySession"
security_result.detection_fields.value = "false"