NetApp BlueXP¶
About¶
NetApp BlueXP provides unified control of storage and data services across your hybrid multicloud. With powerful AIOps, integrated data services, and flexible consumption of resources, it delivers the speed, simplicity, and security required to thrive in today’s highly complex world.
Product Details¶
Vendor URL: NetApp BlueXP
Product Type: SaaS
Product Tier: Tier III
Integration Method: Syslog
Log Guide: Audit Logs
Parser Details¶
Log Format: JSON + XML
Expected Normalization Rate: 100%
Data Label: NETAPP_BLUEXP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AccessList | security_result.rule_id |
| AccessList | security_result.detection_fields |
| AccessMask | target.process.access_mask |
| AuthenticationPackageName | principal.application |
| AuthenticationPackageName | security_result.about.asset.software |
| Computer | observer.hostname |
| DesiredAccess | security_result.rule_name |
| DesiredAccess | security_result.detection_fields |
| EventID | metadata.product_event_type |
| EventName | metadata.description |
| Filename | target.file.names |
| HandleID | target.process.pid |
| Hostname | observer.hostname |
| IpAddress | principal.ip |
| IpPort | principal.port |
| Keywords | security_result.action_details |
| LogonType | extensions.auth.auth_details |
| NewDirHandle | target.process.pid |
| NewPath | target.file.full_path |
| NewSD | target.resource.attribute.labels |
| ObjectName | target.file.full_path |
| ObjectName | target.resource.name |
| ObjectType | target.resource.resource_subtype |
| Provider | observer.application |
| Provider Guid | metadata.product_log_id |
| SubjectDomainName | principal.administrative_domain |
| SubjectIP | principal.ip |
| SubjectUserName | principal.user.userid |
| SubjectUserSid | principal.user.windows_sid |
| TargetDomainName | target.administrative_domain |
| TargetUserName | target.user.userid |
| TargetUserSid | target.user.windows_sid |
| version | metadata.product_version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| 4624 | USER_RESOURCE_DELETION |
| 4634 | USER_LOGOUT |
| 4656 | USER_RESOURCE_ACCESS |
| 4663 | FILE_OPEN |
| 4907 | SETTING_MODIFICATION |
Log Sample¶
{"EventReceivedTime":"2024-11-05 11:01:57","SourceModuleName":"file_log_fsxn","SourceModuleType":"im_file","Hostname":"storage-aws-svm-1","Filename":"\\\\exampleshares\\\\\\logs$\\\\audit_log\\\\audit_storage-aws-svm-1_D2024-11-05-T16-01-56_0000000000.xml","service":"FSXn","Message":"<Event><System><Provider Name=\"NetApp-Security-Auditing\" Guid=\"{ABCD1234-FE19-4A4E-BDAD-DCF422F13473}\"/><EventID>4907</EventID><EventName>Auditing Settings Changed</EventName><Version>101.1</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime=\"2024-11-05T16:01:27.224123000Z\"/><Correlation/><Channel>Security</Channel><Computer>FsxId09ea7dea9982b2daa/storage-aws-svm-1</Computer><ComputerUUID>d2781805-d7dc-11ee-8603-971a667b699d/a93344f0-d7f3-11ee-8603-971a667b699d</ComputerUUID><Security/></System><EventData><Data Name=\"SubjectIP\" IPVersion=\"4\">10.4.6.5</Data><Data Name=\"SubjectUnix\" Uid=\"0\" Gid=\"1\" Local=\"false\"></Data><Data Name=\"SubjectUserSid\">S-1-5-21-1234567890-1125766349-1731688626-54852</Data><Data Name=\"SubjectUserIsLocal\">false</Data><Data Name=\"SubjectDomainName\">DEACNET</Data><Data Name=\"SubjectUserName\">j-doe</Data><Data Name=\"ObjectServer\">Security</Data><Data Name=\"ObjectType\">File</Data><Data Name=\"HandleID\">0000000000042a;00;0000eb1c;14c18edb</Data><Data Name=\"ObjectName\">(lawschool_shares_fsxn);/Clinics/Elder Law/CURRENT FILES/KEY OFFICE Docs/1 - FORM DOCS/Archived Files/Students 2001-2013 - Clio/Students - 2005 - Clio/Students - Fall 05 - - Clio/Ringler, S - Clio/Clients/Doe, John - Clio/Additional Opposing Parties-Doe.doc</Data><Data Name=\"OldSD\">S:AI(AU;IDSA;DCLC;;;WD)</Data><Data Name=\"NewSD\">S:AI(AU;IDSA;DCLC;;;WD)</Data></EventData></Event>"}
Sample Parsing¶
metadata.description = "Auditing Settings Changed"
metadata.event_type = "SETTING_MODIFICATION"
metadata.log_type = "NETAPP_BLUEXP"
metadata.product_log_id = "{ABCD1234-FE19-4A4E-BDAD-DCF422F13473}"
metadata.product_version = "101.1"
metadata.vendor_name = "NetApp"
observer.application = "NetApp-Security-Auditing"
observer.hostname = "storage-aws-svm-1"
principal.administrative_domain = "DEACNET"
principal.ip = "10.4.6.5"
principal.user.userid = "j-doe"
principal.user.windows_sid = "S-1-5-21-1234567890-1125766349-1731688626-54852"
security_result.action_details = "AUDIT_SUCCESS"
security_result.action = "ALLOW"
target.file.full_path = "(lawschool_shares_fsxn);/Clinics/Elder Law/CURRENT FILES/KEY OFFICE Docs/1 - FORM DOCS/Archived Files/Students 2001-2013 - Clio/Students - 2005 - Clio/Students - Fall 05 - - Clio/Ringler, S - Clio/Clients/Doe, John - Clio/Additional Opposing Parties-Doe.doc"
target.file.names = "\\\\exampleshares\\\\\\logs$\\\\audit_log\\\\audit_storage-aws-svm-1_D2024-11-05-T16-01-56_0000000000.xml"
target.process.pid = "0000000000042a;00;0000eb1c;14c18edb"
target.resource.attribute.labels.key = "NewSD"
target.resource.attribute.labels.value = "S:AI(AU;IDSA;DCLC;;;WD)"
target.resource.resource_subtype = "File"
target.resource.resource_type = "SETTING"