Iboss¶
About¶
The iboss SASE Cloud Platform is a patented, cloud-delivered security gateway purpose built on a containerized architecture. This approach consolidates security technologies (SWG, CASB, DLP, IPS, Malware Defense, Firewall) into a single unified platform.
Product Details¶
Vendor URL: Iboss
Product Type: Proxy
Product Tier: Tier II
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: IBOSS_WEBPROXY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| logtime | metadata.event_timestamp |
| “NETWORK_HTTP” | metadata.event_type |
| action - resolvedCategoryDescription | metadata.product_event_type |
| "Proxy" | metadata.product_name |
| "Iboss" | metadata.vendor_name |
| action - resolvedCategoryDescription | metadata.description |
| downstreamByteUsage | additional_fields.downstreamByteUsage |
| upstreamByteUsage | additional_fields.upstreamByteUsage |
| totalDownstreamPacketCount | additional_fields.totalDownstreamPacketCount |
| totalPacketCount | additional_fields.totalPacketCount |
| totalUpstreamPacketCount | additional_fields.totalUpstreamPacketCount |
| protocol | network.application_protocol |
| requestMethod | network.http.method |
| referrerUrl | network.http.referral_url |
| responseCode | network.http.response_code |
| userAgent | network.http.user_agent |
| ipProtocol | network.ip_protocol |
| computerIdentifier | principal.asset.asset_id |
| h_host | principal.administrative_domain |
| sourceIp | principal.ip |
| computerName | principal.hostname |
| location | principal.location.name |
| computerMac/macAddress | principal.mac |
| reportId | principal.process.product_specific_process_id |
| username | principal.user.userid |
| firstname | principal.user.firstname |
| lastname | principal.user.lastname |
| @class | principal.process.file.full_path |
| filteringGroupName | principal.group.group_display_name |
| agentOperatingSystem | principal.platform |
| agentVersion | principal.platform_version |
| sourcePort | principal.port |
| sha256 | principal.process.file.sha256 |
| action | security_result.action |
| categories | security_result.category_details |
| resolvedCategoryDescription | security_result.summary |
| iboss | target.hostname |
| destinationUrl | target.file.full_path |
| destinationIp | target.ip |
| destination | target.port |
Product Event Types¶
| Product event | Description | UDM Event |
|---|---|---|
| All | All events | NETWORK_HTTP |
Log Sample¶
<134>Jan 21 05:41:22 h_host_domain {"@class":"file.path","newStat":false,"ipProtocol":"","intervalStartTime":null,"intervalEndTime":null,"reportId":0,"username":"administrator","filteringGroupNumber":9,"location":"cloud-node","totalByteCount":0,"totalUpstreamByteCount":0,"totalDownstreamByteCount":0,"totalPacketCount":0,"totalUpstreamPacketCount":0,"totalDownstreamPacketCount":0,"totalBlockCount":0,"totalHitCount":0,"useTime":835,"fullReportStat":0,"filteringGroupName":"Senior Management","firstname":"john","lastname":"doe","urlLogEntryId":4612,"logTime":1642779681000,"totalByteUsage":14899,"contentType":0,"action":"Allowed","url":"url.net:port","fullUrl":null,"description":"","categories":[0,1,0,0,0],"ipAddressDecimal":null,"ipAddress":"10.175.38.129","computerMac":"","computerName":"BSR2-P","sourceIpAddressDecimal":0,"sourceIpAddress":"10.1.80.28","video":0,"videoAvailable":0,"videoType":"VNC Recording","videoDescription":"","videoFilePath":"","videoWidth":0,"videoHeight":0,"callout":0,"reportingGroup":0,"statusRecord":0,"qosEvent":0,"auditRecord":0,"iboss":"target_host","uncategorizedUrl":0,"reportUrl":1,"malwareFlag":0,"cncCallbackFlag":0,"avScanned":0,"calloutServiceType":null,"calloutSearchTerms":null,"sandboxStatus":0,"sandboxResult":"","sandboxType":"","sourcePort":0,"destinationPort":0,"userAgent":"","referrerUrl":"","requestMethod":"CONNECT","protocol":"","hostnameHeader":"url.net:port","phishingIndicators":"","contentTypeHeader":"","protocolVersionHeader":"1.1","contentLengthHeader":0,"upstreamByteUsage":5349,"downstreamByteUsage":9550,"responseCode":200,"piiEncryptionId":"","datasourceEncryptionId":"","groupnameEncryptionId":"","computerIdentifier":"","agentOperatingSystem":"Microsoft Windows","agentVersion":"4.9.55.0","heuristicScore":0,"privateIp":"10.1.80.28","publicIp":"10.215.227.4","ztna":0,"proxyMasterTransactionStartTime":"1642779680.455","proxyResponseTime":"835","proxyDnsLookupTime":"","proxyTimeSinceEpoch":"1642779681","filename":"","byteCount":0,"macAddress":"02:4f:13:01:d4:09","direction":0,"mde":"","allowed":true,"sourceIp":"10.1.80.28","destinationIp":"10.175.38.129","dlpDescription":false,"malwareOrDlpRecord":false,"categoryName":"Tech Infrastructure","dbCategories":"0000","destinationUrl":"url.net:port","categoryNamesSeparatedBySemicolons":"Tech Infrastructure","agentRegistrationStatusRecord":false,"dlpStatusRecord":false,"generalStatusRecord":false,"blocked":false,"bandwidthStatusRecord":false,"sandboxResultBase64Decoded":"","videoFileName":"","ztnaPrivateAccessRequest":false,"resolvedCategoryDescription":"Tech Infrastructure","cacheKey":"ule_","formattedUseTime":"13 mins, 55 secs","upstreamKiloBitsPerSecond":0.0,"bulkImportData":"","kiloBitsPerSecond":0.0,"downstreamKiloBitsPerSecond":0.0,"stealth":0,"sha256":""}
Sample Parsing¶
metadata.event_timestamp = "2021-09-21T23:00:00Z"
metadata.event_type = "NETWORK_HTTP"
metadata.description = "Allowed - Agent Registration"
metadata.product_name = "Proxy"
metadata.product_event_type = "Allowed - Agent Registration"
metadata.vendor_name = "Iboss"
metadata.ingested_timestamp = "2021-09-22T00:25:47.873034Z"
additional_fields.downstreamByteUsage = 9550
additional_fields.upstreamByteUsage = 5349
additional_fields.totalDownstreamPacketCount = 0
additional_fields.totalPacketCount = 0
additional_fields.totalUpstreamPacketCount = 0
network.http.method = "CONNECT"
network.http.response_code = 200
principal.administrative_domain = "h_host_domain"
principal.ip = "10.1.80.28"
principal.hostname = "BSR2-P"
principal.location.name = "cloud-node"
principal.mac = "02:4f:13:01:d4:09"
principal.process.product_specific_process_id = "ReportId: 0"
principal.user.userid = "administrator"
principal.user.firstname = "john"
principal.user.lastname = "doe"
principal.process.file.full_path = "file_path"
principal.group.group_display_name = "Senior Management"
principal.platform = "WINDOWS"
principal.platform_version = "4.9.55.0"
principal.port = port
security_result.action = "ALLOW"
security_result.category_details = ""
security_result.summary = "Agent Registration"
target.hostname = "target_host"
target.file.full_path = "url.net:port"
target.ip = "10.175.38.129"
target.port = port
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon