Sonicwall¶
About¶
SonicWall sells a range of Internet appliances primarily directed at content control and network security.
Product Details¶
Vendor URL: Sonicwall
Product Type: Firewall
Product Tier: Tier II
Integration Method: Syslog
Log Guide: Sonicwall Log Guide
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 97%-100%
Data Label: SONIC_FIREWALL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| sn | asset.product_object_id |
| NETWORK_CONNECTION | metadata.event_type |
| m | metadata.product_event_type |
| Firewall | metadata.product_name |
| SonicWall | metadata.vendor_name |
| m | metadate.product_event_type |
| proto | network.ip_protocol |
| id | observer.asset.hostname |
| fw | observer.asset.ip |
| sn | observer.asset.product_object_id |
| id | observer.hostname |
| fw | observer.ip |
| src | principal.asset.ip |
| srcMac | principal.asset.mac |
| src | principal.domain.name |
| src | principal.ip |
| src | principal.port |
| fw_action | security_result.action |
| c | security_result.category_detail |
| pri | security_result.priority_details |
| rule | security_result.rule_id |
| msg | security_result.summary |
| dst | target.asset.ip |
| dstMac | target.asset.mac |
| dst | target.ip |
| dst | target.port |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All | NETWORK_CONNECTION |
Log Sample¶
<129> id=hostname1 sn=aaaabbbb3220 time="2022-04-13 12:30:09" fw=10.0.0.1 pri=1 c=0 m=1099 msg="DNS rebind attack blocked" app=2 n=2000000 src=10.10.0.1:X1:hostname.com:56 dst=10.10.0.2:53:X0 srcMac=aa:bb:ee:24:22:23 dstMac=aa:bb:ee:24:22:24 proto=udp/dns rule="LAN->WAN" fw_action="drop"
Sample Parsing¶
metadata.event_timestamp = "2022-04-13T12:30:09Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "SonicWall"
metadata.product_name = "Firewall"
metadata.product_event_type = "1099"
principal.ip = "10.10.0.1"
principal.port = 53
principal.mac = "aa:bb:ee:24:22:23"
principal.asset.ip = "10.10.0.1"
principal.asset.mac = "aa:bb:ee:24:22:23"
principal.domain.name = "hostname.com"
target.ip = "10.10.0.2"
target.port = 56
target.mac = "aa:bb:ee:24:22:24"
target.asset.ip = "10.10.0.2"
target.asset.mac = "aa:bb:ee:24:22:24"
observer.hostname = "hostname1"
observer.ip = "10.0.0.1"
observer.asset.product_object_id = "aaaabbbb3220"
observer.asset.hostname = "hostname1"
observer.asset.ip = "10.0.0.1"
security_result.summary = "DNS rebind attack blocked"
security_result.action = "BLOCK"
security_result.priority_details = "Alert"
security_result.rule_id = "LAN->WAN"
Parser Alerting¶
This product currently does not have any Parser-based Alerting