NetMotion Mobility¶
About¶
NetMotion Mobility is a standards-compliant, client/server-based software that securely extends the enterprise network to the mobile environment. It is a mobile VPN software that maximizes mobile field worker productivity by maintaining and securing their data connections as they move in and out of wireless coverage areas and roam between networks. Designed specifically for wireless environments, Mobility provides IT managers with the security and centralized control needed to effectively manage a mobile deployment. Mobility complements existing IT systems, is highly scalable, and easy to deploy and maintain.
Product Details¶
Vendor URL: NetMotion Mobility
Product Type: VPN
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Logging Mobility Events to a Syslog Server
Log Guide: Log Data Field Reference
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 90-100%
Data Label: NETMOTION
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| sourcetype | metadata.description |
| prot | network.ip_protocol |
| rx | network.received_bytes |
| tx | network.sent_bytes |
| app_fname | principal.application |
| d_man | principal.asset.hardware.manufacturer |
| d_mod | principal.asset.hardware.model |
| lat | principal.asset.location.region_coordinates.latitude |
| lon | principal.asset.location.region_coordinates.longitude |
| m_pid | principal.asset.product_object_id |
| app_fname | principal.asset.software.name |
| app_ver | principal.asset.software.version |
| d_name | principal.hostname |
| src_ip | principal.ip |
| mac | principal.mac |
| service_port | principal.port |
| src_port | principal.port |
| app_path | principal.process.file.full_path |
| app_name | principal.process.file.names |
| app_procid | principal.process.pid |
| m_user_group | principal.user.group_identifiers |
| m_user | principal.user.userid |
| message | security_result.description |
| sev | security_result.severity |
| alert_type | security_result.summary |
| dest_name | target.hostname |
| dest_ip | target.ip |
| dest_port | target.port |
| service_port | target.port |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All other events | GENERIC_EVENT |
| nm_app_flow | NETWORK_CONNECTION |
| nm_app_dest_survey | NETWORK_CONNECTION |
| nm_device_survey | STATUS_HEARTBEAT |
| nm_adapter_surey | STATUS_UNCATEGORIZED |
Log Sample¶
<134>Mar 23 21:22:37 observer nmreporting[1234]: sourcetype="nm_app_flow" app_fname="My Application" app_name="APPLICATION.EXE" app_path="C:\\Program Files (x86)\\My Application\\APPLICATION.EXE" app_procid="1234" app_ver="1.0.0" d_auth_id="authid@domain.com" d_group="MyGroup" d_man="Manufacturer Name" d_mod="Device Model" d_name="hostname" dest_cat="5" dest_cat_desc="Computer and internet info" dest_ip="10.10.0.1" dest_name="my.website.com" dest_port="443" dest_rep="4000" dest_rep_desc="Low risk" event="Close" m_pid="12345678910" m_user="johndoe" m_user_group="Users" m_ver="12.34.5678" osver="1.01.1" out_tnl="1" plat="Windows" prot="TCP" rx="16505" src_ip="192.168.1.2" src_port="57478" tx="24158"
Sample Parsing¶
metadata.description = "Application flows"
metadata.event_timestamp = "2023-03-23T16:22:37Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_name = "NetMotion Mobility"
metadata.vendor_name = "Absolute Software"
network.ip_protocol = "TCP"
network.received_bytes = 16505
network.sent_bytes = 24158
observer.hostname = "observer"
principal.application = "My Application"
principal.asset.hardware.manufacturer = "Manufacturer Name"
principal.asset.hardware.model = "Device Model"
principal.product_object_id = "12345678910"
principal.software.name = "My Application"
principal.software.version = "1.0.0"
principal.hostname = "hostname"
principal.ip = "192.168.1.2"
principal.port = 57478
principal.process.file.full_path = "C:\\\\Program Files (x86)\\\\My Application\\\\APPLICATION.EXE"
principal.process.file.names = "APPLICATION.EXE"
principal.process.pid = "1234"
principal.user.group_identifiers = "Users"
principal.user.userid = "johndoe"
target.hostname = "my.website.com"
target.ip = "10.10.0.1"
target.port = 443
Rules¶
Coming Soon