From e2dd90b6ec63be3f39fe80d2948d4e5b2e75ca4b Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 4 Sep 2025 10:57:21 +0100 Subject: [PATCH 01/11] enhance: add base CEF and unifi CEF --- .tests/cef-logs/cef-logs.log | 2 + .tests/cef-logs/config.yaml | 10 +++ .tests/cef-logs/parser.assert | 29 ++++++ .tests/unifi-cef/cef-logs.log | 2 + .tests/unifi-cef/config.yaml | 11 +++ .tests/unifi-cef/parser.assert | 0 parsers/s00-raw/crowdsecurity/cef-logs.md | 41 +++++++++ parsers/s00-raw/crowdsecurity/cef-logs.yaml | 17 ++++ parsers/s01-parse/crowdsecurity/unifi-cef.md | 85 ++++++++++++++++++ .../s01-parse/crowdsecurity/unifi-cef.yaml | 90 +++++++++++++++++++ 10 files changed, 287 insertions(+) create mode 100644 .tests/cef-logs/cef-logs.log create mode 100644 .tests/cef-logs/config.yaml create mode 100644 .tests/cef-logs/parser.assert create mode 100644 .tests/unifi-cef/cef-logs.log create mode 100644 .tests/unifi-cef/config.yaml create mode 100644 .tests/unifi-cef/parser.assert create mode 100644 parsers/s00-raw/crowdsecurity/cef-logs.md create mode 100644 parsers/s00-raw/crowdsecurity/cef-logs.yaml create mode 100644 parsers/s01-parse/crowdsecurity/unifi-cef.md create mode 100644 parsers/s01-parse/crowdsecurity/unifi-cef.yaml diff --git a/.tests/cef-logs/cef-logs.log b/.tests/cef-logs/cef-logs.log new file mode 100644 index 00000000000..8186bc65796 --- /dev/null +++ b/.tests/cef-logs/cef-logs.log @@ -0,0 +1,2 @@ +CEF:0|Ubiquiti|UniFi Network|9.4.19|544|Admin Accessed UniFi Network|1|UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222 +0|Ubiquiti|UniFi Network|9.3.45|201|Threat Detected and Blocked|7|proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked. diff --git a/.tests/cef-logs/config.yaml b/.tests/cef-logs/config.yaml new file mode 100644 index 00000000000..45514e407c5 --- /dev/null +++ b/.tests/cef-logs/config.yaml @@ -0,0 +1,10 @@ +parsers: +- ./parsers/s00-raw/crowdsecurity/cef-logs.yaml +scenarios: +- "" +postoverflows: +- "" +collections: +- "" +log_file: cef-logs.log +log_type: cef diff --git a/.tests/cef-logs/parser.assert b/.tests/cef-logs/parser.assert new file mode 100644 index 00000000000..645a3086d46 --- /dev/null +++ b/.tests/cef-logs/parser.assert @@ -0,0 +1,29 @@ +len(results) == 2 +len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 2 +results["s00-raw"]["crowdsecurity/cef-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_severity"] == "1" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_signature_id"] == "544" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["program"] == "Ubiquiti" +basename(results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cef-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_version"] == "9.3.45" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_severity"] == "7" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_signature_id"] == "201" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["program"] == "Ubiquiti" +basename(results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/unifi-cef/cef-logs.log b/.tests/unifi-cef/cef-logs.log new file mode 100644 index 00000000000..8186bc65796 --- /dev/null +++ b/.tests/unifi-cef/cef-logs.log @@ -0,0 +1,2 @@ +CEF:0|Ubiquiti|UniFi Network|9.4.19|544|Admin Accessed UniFi Network|1|UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222 +0|Ubiquiti|UniFi Network|9.3.45|201|Threat Detected and Blocked|7|proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked. diff --git a/.tests/unifi-cef/config.yaml b/.tests/unifi-cef/config.yaml new file mode 100644 index 00000000000..be4e2fcf736 --- /dev/null +++ b/.tests/unifi-cef/config.yaml @@ -0,0 +1,11 @@ +parsers: +- ./parsers/s00-raw/crowdsecurity/cef-logs.yaml +- ./parsers/s01-parse/crowdsecurity/unifi-cef.yaml +scenarios: +- "" +postoverflows: +- "" +collections: +- "" +log_file: cef-logs.log +log_type: cef diff --git a/.tests/unifi-cef/parser.assert b/.tests/unifi-cef/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/parsers/s00-raw/crowdsecurity/cef-logs.md b/parsers/s00-raw/crowdsecurity/cef-logs.md new file mode 100644 index 00000000000..4a38bb742cb --- /dev/null +++ b/parsers/s00-raw/crowdsecurity/cef-logs.md @@ -0,0 +1,41 @@ +# CEF parser + +This parser handles logs in the Common Event Format (CEF), a standardized logging format used by various security devices and applications. + +The parser extracts key CEF fields including the device vendor (manufacturer), product, version, signature ID, event name, and severity level. + +## CEF Format + +The parser handles the standard CEF format: + +``` +CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension +``` + +## Requirements + +When using this parser, you need to specify `type: cef` in your `acquis.yaml` configuration. The parser will automatically extract the manufacturer from the `Device Vendor` field and set it as the `program` field for downstream processing. + +## Example configuration + +```yaml +source: file +filenames: + - /var/log/cef/*.log +labels: + type: cef +``` + +## Extracted fields + +The parser extracts the following CEF fields: + +- `cef_device_vendor` - The device manufacturer/vendor +- `cef_device_product` - The product name +- `cef_device_version` - The product version +- `cef_signature_id` - Unique event signature identifier +- `cef_event_name` - Human-readable event name +- `cef_severity` - Event severity level (0-10) +- `message` - Any additional extension data or message content + +The `cef_device_vendor` field is also mapped to the `program` field for compatibility with other parsers. diff --git a/parsers/s00-raw/crowdsecurity/cef-logs.yaml b/parsers/s00-raw/crowdsecurity/cef-logs.yaml new file mode 100644 index 00000000000..04238b4c501 --- /dev/null +++ b/parsers/s00-raw/crowdsecurity/cef-logs.yaml @@ -0,0 +1,17 @@ +filter: "evt.Line.Labels.type == 'cef'" +onsuccess: next_stage +pattern_syntax: + CEF_HEADER: '(CEF:)?%{INT:cef_version}\|%{DATA:cef_device_vendor}\|%{DATA:cef_device_product}\|%{DATA:cef_device_version}\|%{DATA:cef_signature_id}\|%{DATA:cef_event_name}\|%{INT:cef_severity}' +name: crowdsecurity/cef-logs +description: CEF (Common Event Format) logs parser +nodes: + - grok: + pattern: "^%{CEF_HEADER}%{SPACE}\\|?%{GREEDYDATA:message}" + apply_on: Line.Raw +statics: + - parsed: "program" + expression: evt.Parsed.cef_device_vendor + - meta: datasource_path + expression: evt.Line.Src + - meta: datasource_type + expression: evt.Line.Module diff --git a/parsers/s01-parse/crowdsecurity/unifi-cef.md b/parsers/s01-parse/crowdsecurity/unifi-cef.md new file mode 100644 index 00000000000..6b443e419c9 --- /dev/null +++ b/parsers/s01-parse/crowdsecurity/unifi-cef.md @@ -0,0 +1,85 @@ +# Unifi CEF parser + +This parser specifically handles CEF logs from Ubiquiti UniFi Network devices, filtering by vendor and product to ensure it only processes relevant logs. + +## Purpose + +The parser extracts Unifi-specific CEF extension fields that contain valuable metadata about network events, device information, and security alerts from UniFi devices. + +It uses comprehensive grok patterns that parse the entire CEF extension message in the expected field order, ensuring compatibility with the Go grok implementation. + +## Parser Structure + +The parser uses a single configuration with two grok patterns, each optimized for different types of Unifi CEF events with pattern-specific statics: + +### Pattern Organization +- **Admin/System Pattern** (`UNIFI_ADMIN_PATTERN`): Handles administrative actions like logins and system access +- **Security/Threat Pattern** (`UNIFI_SECURITY_PATTERN`): Handles security alerts and intrusion prevention + +### Event Types Handled + +#### Admin/System Events +Pattern matches logs like: +``` +UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=... +``` + +**Admin pattern extracts and sets:** +- `admin_user` - Admin user who performed the action +- `access_method` - How access was performed (web, API, etc.) +- `timestamp` - UTC timestamp of the event +- Common fields: vendor, product, category, subcategory, host, severity, etc. + +#### Security/Threat Events +Pattern matches logs like: +``` +proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=... msg=... +``` + +**Security pattern extracts and sets:** +- `device_name`, `device_model`, `device_mac`, `device_ip` - Device information +- `protocol`, `source_port`, `destination_ip`, `destination_port` - Network details +- `risk_level`, `ips_signature`, `ips_signature_id`, `ips_session_id` - Threat information +- Common fields: vendor, product, category, subcategory, host, severity, etc. + +## Filtering + +The parser automatically filters for logs where: +- `cef_device_vendor` equals "Ubiquiti" +- `cef_device_product` equals "UniFi Network" + +This ensures the parser only processes actual Unifi CEF logs and doesn't interfere with other CEF sources. + +## Extracted metadata + +The parser extracts the following Unifi-specific fields into metadata: + +### Device Information +- `device_name` - Name of the Unifi device +- `device_model` - Model of the device (e.g., UX7, USG) +- `device_mac` - MAC address of the device +- `device_version` - Firmware version +- `host` - Hostname of the device + +### Network Information +- `source_ip` - Source IP address +- `protocol` - Network protocol (TCP, UDP, etc.) +- `source_port` - Source port +- `destination_port` - Destination port + +### Security & Events +- `category` - Event category (System, Security, etc.) +- `subcategory` - Event subcategory +- `risk_level` - Risk level (high, medium, low) +- `event_severity` - CEF severity level +- `admin_user` - Admin user who performed action +- `access_method` - How access was performed (web, API, etc.) + +### IPS/Threat Information +- `ips_signature` - IPS signature that triggered +- `ips_signature_id` - IPS signature ID +- `ips_session_id` - IPS session identifier + +## Usage + +This parser should be used after the `cef-logs` parser in the s00-raw stage. It will automatically filter and enrich Unifi CEF logs with structured metadata for use in scenarios and correlation rules. diff --git a/parsers/s01-parse/crowdsecurity/unifi-cef.yaml b/parsers/s01-parse/crowdsecurity/unifi-cef.yaml new file mode 100644 index 00000000000..d5704c637e1 --- /dev/null +++ b/parsers/s01-parse/crowdsecurity/unifi-cef.yaml @@ -0,0 +1,90 @@ +onsuccess: next_stage +filter: "evt.Parsed.cef_device_vendor == 'Ubiquiti' && evt.Parsed.cef_device_product == 'UniFi Network'" +name: crowdsecurity/unifi-cef +description: "Parse Unifi CEF logs" +pattern_syntax: + UNIFI_ADMIN_PATTERN: 'UNIFIcategory=(%{DATA:unifi_category}) UNIFIsubCategory=(%{DATA:unifi_subcategory}) UNIFIhost=(%{DATA:unifi_host}) UNIFIaccessMethod=(%{DATA:unifi_access_method}) UNIFIadmin=(%{DATA:unifi_admin}) src=(%{IP:src_ip}) UNIFIutcTime=(%{DATA:unifi_utc_time}) msg=(%{DATA:msg})' + UNIFI_SECURITY_PATTERN: 'proto=(%{WORD:protocol}) src=(%{IP:src_ip}) spt=(%{INT:src_port}) dst=(%{IP:dst_ip}) dpt=(%{INT:dst_port}) UNIFIcategory=(%{DATA:unifi_category}) UNIFIsubCategory=(%{DATA:unifi_subcategory}) UNIFIhost=(%{DATA:unifi_host}) UNIFIdeviceMac=(%{DATA:unifi_device_mac}) UNIFIdeviceName=(%{DATA:unifi_device_name}) UNIFIdeviceModel=(%{DATA:unifi_device_model}) UNIFIdeviceIp=(%{IP:unifi_device_ip}) UNIFIdeviceVersion=(%{DATA:unifi_device_version}) UNIFIrisk=(%{DATA:unifi_risk}) UNIFIipsSessionId=(%{DATA:unifi_ips_session_id}) UNIFIipsSignature=(%{DATA:unifi_ips_signature}) UNIFIipsSignatureId=(%{DATA:unifi_ips_signature_id}) msg=(%{DATA:msg})' +nodes: + - grok: + pattern: '%{UNIFI_ADMIN_PATTERN}' + apply_on: message + statics: + - meta: service + value: unifi + - meta: vendor + expression: evt.Parsed.cef_device_vendor + - meta: product + expression: evt.Parsed.cef_device_product + - meta: device_version + expression: evt.Parsed.cef_device_version + - meta: source_ip + expression: evt.Parsed.src_ip + - meta: admin_user + expression: evt.Parsed.unifi_admin + - meta: category + expression: evt.Parsed.unifi_category + - meta: subcategory + expression: evt.Parsed.unifi_subcategory + - meta: access_method + expression: evt.Parsed.unifi_access_method + - meta: host + expression: evt.Parsed.unifi_host + - meta: event_severity + expression: evt.Parsed.cef_severity + - meta: event_signature_id + expression: evt.Parsed.cef_signature_id + - meta: timestamp + expression: evt.Parsed.unifi_utc_time + - meta: message + expression: evt.Parsed.msg + - grok: + pattern: '%{UNIFI_SECURITY_PATTERN}' + apply_on: message + statics: + - meta: service + value: unifi + - meta: vendor + expression: evt.Parsed.cef_device_vendor + - meta: product + expression: evt.Parsed.cef_device_product + - meta: device_version + expression: evt.Parsed.cef_device_version + - meta: source_ip + expression: evt.Parsed.src_ip + - meta: device_name + expression: evt.Parsed.unifi_device_name + - meta: device_model + expression: evt.Parsed.unifi_device_model + - meta: device_mac + expression: evt.Parsed.unifi_device_mac + - meta: device_ip + expression: evt.Parsed.unifi_device_ip + - meta: category + expression: evt.Parsed.unifi_category + - meta: subcategory + expression: evt.Parsed.unifi_subcategory + - meta: host + expression: evt.Parsed.unifi_host + - meta: risk_level + expression: evt.Parsed.unifi_risk + - meta: ips_signature + expression: evt.Parsed.unifi_ips_signature + - meta: ips_signature_id + expression: evt.Parsed.unifi_ips_signature_id + - meta: ips_session_id + expression: evt.Parsed.unifi_ips_session_id + - meta: event_severity + expression: evt.Parsed.cef_severity + - meta: event_signature_id + expression: evt.Parsed.cef_signature_id + - meta: protocol + expression: evt.Parsed.protocol + - meta: source_port + expression: evt.Parsed.src_port + - meta: destination_ip + expression: evt.Parsed.dst_ip + - meta: destination_port + expression: evt.Parsed.dst_port + - meta: message + expression: evt.Parsed.msg From f669a68d87a65059807b8b38a205ef8701e0a951 Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 4 Sep 2025 11:00:02 +0100 Subject: [PATCH 02/11] enhance: forgot assert --- .tests/unifi-cef/parser.assert.dump | 115 ++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 .tests/unifi-cef/parser.assert.dump diff --git a/.tests/unifi-cef/parser.assert.dump b/.tests/unifi-cef/parser.assert.dump new file mode 100644 index 00000000000..24e824968f9 --- /dev/null +++ b/.tests/unifi-cef/parser.assert.dump @@ -0,0 +1,115 @@ +len(results) == 3 +len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 2 +results["s00-raw"]["crowdsecurity/cef-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_severity"] == "1" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_signature_id"] == "544" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["program"] == "Ubiquiti" +basename(results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cef-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_version"] == "9.3.45" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_severity"] == "7" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_signature_id"] == "201" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["program"] == "Ubiquiti" +basename(results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/unifi-cef"]) == 2 +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Success == true +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_severity"] == "1" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_signature_id"] == "544" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_version"] == "0" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["program"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["src_ip"] == "10.72.1.222" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_access_method"] == "web" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_admin"] == "Secure Admin" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_category"] == "System" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_host"] == "Unifi Dream Machine" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_subcategory"] == "Admin" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_utc_time"] == "2025-09-04T08:32:58.445Z" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["access_method"] == "web" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["admin_user"] == "Secure Admin" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["category"] == "System" +basename(results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["device_version"] == "9.4.19" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["event_severity"] == "1" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["event_signature_id"] == "544" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["host"] == "Unifi Dream Machine" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["product"] == "UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["service"] == "unifi" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["source_ip"] == "10.72.1.222" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["subcategory"] == "Admin" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["timestamp"] == "2025-09-04T08:32:58.445Z" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["vendor"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Success == true +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_version"] == "9.3.45" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_severity"] == "7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_signature_id"] == "201" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_version"] == "0" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_ip"] == "192.168.0.233" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_port"] == "80" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["program"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["protocol"] == "TCP" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_ip"] == "192.168.0.1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_port"] == "54587" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_category"] == "Security" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_ip"] == "192.168.0.1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_mac"] == "84:78:48:80:0d:86" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_model"] == "UX7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_name"] == "Express 7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_version"] == "4.2.15" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_host"] == "Express 7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_session_id"] == "2138629792252828" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_signature"] == "ET DROP Dshield Block Listed Source group 1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_signature_id"] == "2402000" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_risk"] == "medium" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_subcategory"] == "Intrusion Prevention" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["category"] == "Security" +basename(results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_ip"] == "192.168.0.233" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_port"] == "80" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_ip"] == "192.168.0.1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_mac"] == "84:78:48:80:0d:86" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_model"] == "UX7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_name"] == "Express 7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_version"] == "9.3.45" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["event_severity"] == "7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["event_signature_id"] == "201" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["host"] == "Express 7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_session_id"] == "2138629792252828" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_signature"] == "ET DROP Dshield Block Listed Source group 1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_signature_id"] == "2402000" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["product"] == "UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["protocol"] == "TCP" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["risk_level"] == "medium" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["service"] == "unifi" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_ip"] == "192.168.0.1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_port"] == "54587" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["subcategory"] == "Intrusion Prevention" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["vendor"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 From 9f3263560a7252de24b8a575289bb97cb2e41507 Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 4 Sep 2025 11:01:01 +0100 Subject: [PATCH 03/11] enhance: move assert --- .tests/unifi-cef/parser.assert | 115 ++++++++++++++++++++++++++++ .tests/unifi-cef/parser.assert.dump | 115 ---------------------------- 2 files changed, 115 insertions(+), 115 deletions(-) delete mode 100644 .tests/unifi-cef/parser.assert.dump diff --git a/.tests/unifi-cef/parser.assert b/.tests/unifi-cef/parser.assert index e69de29bb2d..24e824968f9 100644 --- a/.tests/unifi-cef/parser.assert +++ b/.tests/unifi-cef/parser.assert @@ -0,0 +1,115 @@ +len(results) == 3 +len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 2 +results["s00-raw"]["crowdsecurity/cef-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_severity"] == "1" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_signature_id"] == "544" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["program"] == "Ubiquiti" +basename(results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cef-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_version"] == "9.3.45" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_severity"] == "7" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_signature_id"] == "201" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["program"] == "Ubiquiti" +basename(results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/unifi-cef"]) == 2 +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Success == true +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_severity"] == "1" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_signature_id"] == "544" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_version"] == "0" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["program"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["src_ip"] == "10.72.1.222" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_access_method"] == "web" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_admin"] == "Secure Admin" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_category"] == "System" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_host"] == "Unifi Dream Machine" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_subcategory"] == "Admin" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_utc_time"] == "2025-09-04T08:32:58.445Z" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["access_method"] == "web" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["admin_user"] == "Secure Admin" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["category"] == "System" +basename(results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["device_version"] == "9.4.19" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["event_severity"] == "1" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["event_signature_id"] == "544" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["host"] == "Unifi Dream Machine" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["product"] == "UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["service"] == "unifi" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["source_ip"] == "10.72.1.222" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["subcategory"] == "Admin" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["timestamp"] == "2025-09-04T08:32:58.445Z" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["vendor"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Success == true +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_version"] == "9.3.45" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_severity"] == "7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_signature_id"] == "201" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_version"] == "0" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_ip"] == "192.168.0.233" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_port"] == "80" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["program"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["protocol"] == "TCP" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_ip"] == "192.168.0.1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_port"] == "54587" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_category"] == "Security" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_ip"] == "192.168.0.1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_mac"] == "84:78:48:80:0d:86" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_model"] == "UX7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_name"] == "Express 7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_version"] == "4.2.15" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_host"] == "Express 7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_session_id"] == "2138629792252828" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_signature"] == "ET DROP Dshield Block Listed Source group 1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_signature_id"] == "2402000" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_risk"] == "medium" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_subcategory"] == "Intrusion Prevention" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["category"] == "Security" +basename(results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_ip"] == "192.168.0.233" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_port"] == "80" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_ip"] == "192.168.0.1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_mac"] == "84:78:48:80:0d:86" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_model"] == "UX7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_name"] == "Express 7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_version"] == "9.3.45" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["event_severity"] == "7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["event_signature_id"] == "201" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["host"] == "Express 7" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_session_id"] == "2138629792252828" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_signature"] == "ET DROP Dshield Block Listed Source group 1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_signature_id"] == "2402000" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["product"] == "UniFi Network" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["protocol"] == "TCP" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["risk_level"] == "medium" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["service"] == "unifi" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_ip"] == "192.168.0.1" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_port"] == "54587" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["subcategory"] == "Intrusion Prevention" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["vendor"] == "Ubiquiti" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/unifi-cef/parser.assert.dump b/.tests/unifi-cef/parser.assert.dump deleted file mode 100644 index 24e824968f9..00000000000 --- a/.tests/unifi-cef/parser.assert.dump +++ /dev/null @@ -1,115 +0,0 @@ -len(results) == 3 -len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 2 -results["s00-raw"]["crowdsecurity/cef-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_version"] == "9.4.19" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_severity"] == "1" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_signature_id"] == "544" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_version"] == "0" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["program"] == "Ubiquiti" -basename(results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Whitelisted == false -results["s00-raw"]["crowdsecurity/cef-logs"][1].Success == true -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_version"] == "9.3.45" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_severity"] == "7" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_signature_id"] == "201" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_version"] == "0" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["program"] == "Ubiquiti" -basename(results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Whitelisted == false -len(results["s01-parse"]["crowdsecurity/unifi-cef"]) == 2 -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Success == true -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_device_version"] == "9.4.19" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_severity"] == "1" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_signature_id"] == "544" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["cef_version"] == "0" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["program"] == "Ubiquiti" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["src_ip"] == "10.72.1.222" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_access_method"] == "web" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_admin"] == "Secure Admin" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_category"] == "System" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_host"] == "Unifi Dream Machine" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_subcategory"] == "Admin" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Parsed["unifi_utc_time"] == "2025-09-04T08:32:58.445Z" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["access_method"] == "web" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["admin_user"] == "Secure Admin" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["category"] == "System" -basename(results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["device_version"] == "9.4.19" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["event_severity"] == "1" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["event_signature_id"] == "544" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["host"] == "Unifi Dream Machine" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["product"] == "UniFi Network" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["service"] == "unifi" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["source_ip"] == "10.72.1.222" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["subcategory"] == "Admin" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["timestamp"] == "2025-09-04T08:32:58.445Z" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["vendor"] == "Ubiquiti" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Whitelisted == false -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Success == true -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_version"] == "9.3.45" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_severity"] == "7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_signature_id"] == "201" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_version"] == "0" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_ip"] == "192.168.0.233" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_port"] == "80" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["program"] == "Ubiquiti" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["protocol"] == "TCP" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_ip"] == "192.168.0.1" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_port"] == "54587" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_category"] == "Security" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_ip"] == "192.168.0.1" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_mac"] == "84:78:48:80:0d:86" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_model"] == "UX7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_name"] == "Express 7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_version"] == "4.2.15" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_host"] == "Express 7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_session_id"] == "2138629792252828" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_signature"] == "ET DROP Dshield Block Listed Source group 1" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_signature_id"] == "2402000" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_risk"] == "medium" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_subcategory"] == "Intrusion Prevention" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["category"] == "Security" -basename(results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_ip"] == "192.168.0.233" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_port"] == "80" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_ip"] == "192.168.0.1" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_mac"] == "84:78:48:80:0d:86" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_model"] == "UX7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_name"] == "Express 7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_version"] == "9.3.45" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["event_severity"] == "7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["event_signature_id"] == "201" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["host"] == "Express 7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_session_id"] == "2138629792252828" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_signature"] == "ET DROP Dshield Block Listed Source group 1" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_signature_id"] == "2402000" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["product"] == "UniFi Network" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["protocol"] == "TCP" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["risk_level"] == "medium" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["service"] == "unifi" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_ip"] == "192.168.0.1" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_port"] == "54587" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["subcategory"] == "Intrusion Prevention" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["vendor"] == "Ubiquiti" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Whitelisted == false -len(results["success"][""]) == 0 From 084452d1865be8a984fd4cd9eeb2c9ad98190e47 Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 4 Sep 2025 11:28:50 +0100 Subject: [PATCH 04/11] enhance: add collection with all information about rsyslog --- collections/crowdsecurity/unifi-cef.md | 93 ++++++++++++++++++++++++ collections/crowdsecurity/unifi-cef.yaml | 9 +++ 2 files changed, 102 insertions(+) create mode 100644 collections/crowdsecurity/unifi-cef.md create mode 100644 collections/crowdsecurity/unifi-cef.yaml diff --git a/collections/crowdsecurity/unifi-cef.md b/collections/crowdsecurity/unifi-cef.md new file mode 100644 index 00000000000..017be0340dc --- /dev/null +++ b/collections/crowdsecurity/unifi-cef.md @@ -0,0 +1,93 @@ +**UniFi CEF logs collection** + +Provides support for parsing UniFi device logs in CEF (Common Event Format). + +Includes both base CEF parsing and UniFi-specific field extraction for admin and security events. + +## Setup Notes + +**Important:** The built-in CrowdSec syslog acquisition does not support CEF format. You must use rsyslog to collect and forward CEF logs from your UniFi devices. + +### UniFi Device Configuration + +Configure your UniFi devices to send CEF logs to your rsyslog server: + +1. In UniFi Controller Settings → System → Remote Logging +2. Set the remote syslog server IP address and port (default: 514) +3. Select CEF format for log export +4. Enable the desired logging categories (Admin Events, Security Events, etc.) + +### rsyslog Configuration + +Create a configuration file `/etc/rsyslog.d/unifi-cef.conf`: + +```bash +# Template to extract only CEF message content (no syslog headers) +template(name="CEF" type="string" string="%msg%\n") + +# Rules for UniFi devices +if $fromhost-ip startswith '192.168.' then { + action(type="omfile" file="/var/log/unifi-cef.log" template="CEF") + stop +} +``` + +Restart rsyslog after configuration: +```bash +sudo systemctl restart rsyslog +``` + +### Log Rotation Configuration + +To prevent CEF log files from growing too large, configure logrotate for the CEF logs. Create `/etc/logrotate.d/unifi-cef`: + +```bash +/var/log/unifi-cef.log { + daily + rotate 7 + compress + delaycompress + missingok + notifempty + postrotate + systemctl reload rsyslog >/dev/null 2>&1 || true + endscript +} +``` + +This configuration will: +- Rotate logs daily +- Keep 7 days of logs +- Compress rotated logs +- Reload rsyslog after rotation + +Test the logrotate configuration: +```bash +sudo logrotate -d /etc/logrotate.d/unifi-cef +``` + +And run it manually if needed: +```bash +sudo logrotate -f /etc/logrotate.d/unifi-cef +``` + +## Acquisition template + +Example acquisition for this collection: + +```yaml +--- +filenames: + - /var/log/unifi-cef.log +labels: + type: cef +``` + +## Supported Event Types + +This collection handles two main types of UniFi CEF events: + +- **Admin Events**: Login attempts, configuration changes, device management +- **Security Events**: IPS alerts, blocked connections, threat detection + +All events include rich metadata such as device information, source/destination details, and UniFi-specific context. diff --git a/collections/crowdsecurity/unifi-cef.yaml b/collections/crowdsecurity/unifi-cef.yaml new file mode 100644 index 00000000000..710415b4a0c --- /dev/null +++ b/collections/crowdsecurity/unifi-cef.yaml @@ -0,0 +1,9 @@ +parsers: + - crowdsecurity/cef-logs + - crowdsecurity/unifi-cef +description: "UniFi CEF logs support : base CEF parsing + UniFi specific parsing" +author: crowdsecurity +tags: + - unifi + - cef + - ubiquiti From 5d1b2dd37f6f9feeebf31c45acd40edb2d1234c8 Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 4 Sep 2025 12:08:25 +0100 Subject: [PATCH 05/11] enhance: add more rsyslog config --- collections/crowdsecurity/unifi-cef.md | 60 ++++++++++++++++++++++---- 1 file changed, 52 insertions(+), 8 deletions(-) diff --git a/collections/crowdsecurity/unifi-cef.md b/collections/crowdsecurity/unifi-cef.md index 017be0340dc..a368c5119da 100644 --- a/collections/crowdsecurity/unifi-cef.md +++ b/collections/crowdsecurity/unifi-cef.md @@ -14,20 +14,31 @@ Configure your UniFi devices to send CEF logs to your rsyslog server: 1. In UniFi Controller Settings → System → Remote Logging 2. Set the remote syslog server IP address and port (default: 514) -3. Select CEF format for log export -4. Enable the desired logging categories (Admin Events, Security Events, etc.) +3. Enable the desired logging categories (Admin Events, Security Events, etc.) ### rsyslog Configuration Create a configuration file `/etc/rsyslog.d/unifi-cef.conf`: ```bash +module(load="imudp") +input(type="imudp" port="4242") # Template to extract only CEF message content (no syslog headers) template(name="CEF" type="string" string="%msg%\n") +# Template for standard syslog format (preserves full syslog structure) +template(name="Syslog" type="string" string="%timegenerated% %hostname% %syslogtag%%msg%\n") + # Rules for UniFi devices -if $fromhost-ip startswith '192.168.' then { - action(type="omfile" file="/var/log/unifi-cef.log" template="CEF") +if $fromhost-ip != '127.0.0.1' then { + # Check if message starts with CEF + if $msg startswith 'CEF' then { + # CEF messages go to unifi-cef.log + action(type="omfile" file="/var/log/unifi-cef.log" template="CEF") + } else { + # Non-CEF syslog messages go to unifi-syslog.log + action(type="omfile" file="/var/log/unifi-syslog.log" template="Syslog") + } stop } ``` @@ -37,12 +48,17 @@ Restart rsyslog after configuration: sudo systemctl restart rsyslog ``` +Verify UDP port is listening: +```bash +sudo netstat -uln | grep 4242 +``` + ### Log Rotation Configuration -To prevent CEF log files from growing too large, configure logrotate for the CEF logs. Create `/etc/logrotate.d/unifi-cef`: +To prevent log files from growing too large, configure logrotate for both CEF and syslog files. Create `/etc/logrotate.d/unifi-cef`: ```bash -/var/log/unifi-cef.log { +/var/log/unifi-cef.log /var/log/unifi-syslog.log { daily rotate 7 compress @@ -71,9 +87,9 @@ And run it manually if needed: sudo logrotate -f /etc/logrotate.d/unifi-cef ``` -## Acquisition template +## Acquisition templates -Example acquisition for this collection: +Example acquisition for CEF logs (recommended for security monitoring): ```yaml --- @@ -83,6 +99,16 @@ labels: type: cef ``` +Optional: If you also want to monitor non-CEF syslog messages from UniFi devices: + +```yaml +--- +filenames: + - /var/log/unifi-syslog.log +labels: + type: unifi +``` + ## Supported Event Types This collection handles two main types of UniFi CEF events: @@ -91,3 +117,21 @@ This collection handles two main types of UniFi CEF events: - **Security Events**: IPS alerts, blocked connections, threat detection All events include rich metadata such as device information, source/destination details, and UniFi-specific context. + +The configuration also separates CEF-formatted messages from standard syslog messages, allowing you to monitor both structured security events and general device logs. + +## Testing the Configuration + +After setup, test that logs are being received and properly separated: + +```bash +# Send a test CEF message +echo "CEF:0|Test|Test|1.0|TEST|Test Event|5|src=192.168.1.100" | nc -u -w1 localhost 514 + +# Send a test syslog message +echo "test syslog message from unifi device" | nc -u -w1 localhost 514 + +# Check that messages went to correct files +tail -f /var/log/unifi-cef.log +tail -f /var/log/unifi-syslog.log +``` From 1c76ce04f1b29bddf779d7f76c6a363ada1eae1f Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 4 Sep 2025 12:11:24 +0100 Subject: [PATCH 06/11] enhance: add more rsyslog config --- collections/crowdsecurity/unifi-cef.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/collections/crowdsecurity/unifi-cef.md b/collections/crowdsecurity/unifi-cef.md index a368c5119da..40cf48162be 100644 --- a/collections/crowdsecurity/unifi-cef.md +++ b/collections/crowdsecurity/unifi-cef.md @@ -20,6 +20,8 @@ Configure your UniFi devices to send CEF logs to your rsyslog server: Create a configuration file `/etc/rsyslog.d/unifi-cef.conf`: +> replace `$AllowedSender` ranges with your unifi device IP address or ranges + ```bash module(load="imudp") input(type="imudp" port="4242") @@ -29,6 +31,8 @@ template(name="CEF" type="string" string="%msg%\n") # Template for standard syslog format (preserves full syslog structure) template(name="Syslog" type="string" string="%timegenerated% %hostname% %syslogtag%%msg%\n") +$AllowedSender UDP, 192.168.1.0/24, 192.168.11.1/32 + # Rules for UniFi devices if $fromhost-ip != '127.0.0.1' then { # Check if message starts with CEF From 46ba7614c6ecf30316e6db479eab1d29ff97081b Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 4 Sep 2025 14:37:43 +0100 Subject: [PATCH 07/11] enhance: remove cef unifi and have a single unifi collection --- collections/crowdsecurity/unifi-cef.md | 141 --------------------- collections/crowdsecurity/unifi-cef.yaml | 9 -- collections/crowdsecurity/unifi.md | 155 ++++++++++++++++++++++- collections/crowdsecurity/unifi.yaml | 5 +- 4 files changed, 155 insertions(+), 155 deletions(-) delete mode 100644 collections/crowdsecurity/unifi-cef.md delete mode 100644 collections/crowdsecurity/unifi-cef.yaml diff --git a/collections/crowdsecurity/unifi-cef.md b/collections/crowdsecurity/unifi-cef.md deleted file mode 100644 index 40cf48162be..00000000000 --- a/collections/crowdsecurity/unifi-cef.md +++ /dev/null @@ -1,141 +0,0 @@ -**UniFi CEF logs collection** - -Provides support for parsing UniFi device logs in CEF (Common Event Format). - -Includes both base CEF parsing and UniFi-specific field extraction for admin and security events. - -## Setup Notes - -**Important:** The built-in CrowdSec syslog acquisition does not support CEF format. You must use rsyslog to collect and forward CEF logs from your UniFi devices. - -### UniFi Device Configuration - -Configure your UniFi devices to send CEF logs to your rsyslog server: - -1. In UniFi Controller Settings → System → Remote Logging -2. Set the remote syslog server IP address and port (default: 514) -3. Enable the desired logging categories (Admin Events, Security Events, etc.) - -### rsyslog Configuration - -Create a configuration file `/etc/rsyslog.d/unifi-cef.conf`: - -> replace `$AllowedSender` ranges with your unifi device IP address or ranges - -```bash -module(load="imudp") -input(type="imudp" port="4242") -# Template to extract only CEF message content (no syslog headers) -template(name="CEF" type="string" string="%msg%\n") - -# Template for standard syslog format (preserves full syslog structure) -template(name="Syslog" type="string" string="%timegenerated% %hostname% %syslogtag%%msg%\n") - -$AllowedSender UDP, 192.168.1.0/24, 192.168.11.1/32 - -# Rules for UniFi devices -if $fromhost-ip != '127.0.0.1' then { - # Check if message starts with CEF - if $msg startswith 'CEF' then { - # CEF messages go to unifi-cef.log - action(type="omfile" file="/var/log/unifi-cef.log" template="CEF") - } else { - # Non-CEF syslog messages go to unifi-syslog.log - action(type="omfile" file="/var/log/unifi-syslog.log" template="Syslog") - } - stop -} -``` - -Restart rsyslog after configuration: -```bash -sudo systemctl restart rsyslog -``` - -Verify UDP port is listening: -```bash -sudo netstat -uln | grep 4242 -``` - -### Log Rotation Configuration - -To prevent log files from growing too large, configure logrotate for both CEF and syslog files. Create `/etc/logrotate.d/unifi-cef`: - -```bash -/var/log/unifi-cef.log /var/log/unifi-syslog.log { - daily - rotate 7 - compress - delaycompress - missingok - notifempty - postrotate - systemctl reload rsyslog >/dev/null 2>&1 || true - endscript -} -``` - -This configuration will: -- Rotate logs daily -- Keep 7 days of logs -- Compress rotated logs -- Reload rsyslog after rotation - -Test the logrotate configuration: -```bash -sudo logrotate -d /etc/logrotate.d/unifi-cef -``` - -And run it manually if needed: -```bash -sudo logrotate -f /etc/logrotate.d/unifi-cef -``` - -## Acquisition templates - -Example acquisition for CEF logs (recommended for security monitoring): - -```yaml ---- -filenames: - - /var/log/unifi-cef.log -labels: - type: cef -``` - -Optional: If you also want to monitor non-CEF syslog messages from UniFi devices: - -```yaml ---- -filenames: - - /var/log/unifi-syslog.log -labels: - type: unifi -``` - -## Supported Event Types - -This collection handles two main types of UniFi CEF events: - -- **Admin Events**: Login attempts, configuration changes, device management -- **Security Events**: IPS alerts, blocked connections, threat detection - -All events include rich metadata such as device information, source/destination details, and UniFi-specific context. - -The configuration also separates CEF-formatted messages from standard syslog messages, allowing you to monitor both structured security events and general device logs. - -## Testing the Configuration - -After setup, test that logs are being received and properly separated: - -```bash -# Send a test CEF message -echo "CEF:0|Test|Test|1.0|TEST|Test Event|5|src=192.168.1.100" | nc -u -w1 localhost 514 - -# Send a test syslog message -echo "test syslog message from unifi device" | nc -u -w1 localhost 514 - -# Check that messages went to correct files -tail -f /var/log/unifi-cef.log -tail -f /var/log/unifi-syslog.log -``` diff --git a/collections/crowdsecurity/unifi-cef.yaml b/collections/crowdsecurity/unifi-cef.yaml deleted file mode 100644 index 710415b4a0c..00000000000 --- a/collections/crowdsecurity/unifi-cef.yaml +++ /dev/null @@ -1,9 +0,0 @@ -parsers: - - crowdsecurity/cef-logs - - crowdsecurity/unifi-cef -description: "UniFi CEF logs support : base CEF parsing + UniFi specific parsing" -author: crowdsecurity -tags: - - unifi - - cef - - ubiquiti diff --git a/collections/crowdsecurity/unifi.md b/collections/crowdsecurity/unifi.md index 940db25a9b1..9ceececb6ff 100644 --- a/collections/crowdsecurity/unifi.md +++ b/collections/crowdsecurity/unifi.md @@ -2,14 +2,131 @@ A collection to defend Unifi gear against common attacks : - Unifi syslog parser: `crowdsecurity/unifi-logs` +- CEF logs parser: `crowdsecurity/cef-logs` +- Unifi CEF parser: `crowdsecurity/unifi-cef` - Dropbear parser: `crowdsecurity/dropbear-logs` - SSH bruteforce scenario : `crowdsecurity/ssh-bf` - Iptables parser: `crowdsecurity/iptables-logs` - Port scan detection: `crowdsecurity/iptables-scan-multi_ports` -## Acquisition template +## Log Format Support -Example acquisition for this collection : +This collection supports both standard syslog and CEF (Common Event Format) logs from UniFi devices. + +### CEF Format (Recommended for Security Monitoring) + +UniFi devices can send logs in CEF format, which provides structured security events with rich metadata. + +#### UniFi Device Configuration + +Configure your UniFi devices to send CEF logs: + +1. In UniFi Controller Settings → System → Remote Logging +2. Set the remote syslog server IP address and port (default: 514) +3. Enable the desired logging categories (Admin Events, Security Events, etc.) + +> Note: While UniFi calls this "CEF format", it actually sends logs with CEF headers but without the full CEF structure. The collection handles this properly. + +#### rsyslog Configuration + +For CEF format, you need to use rsyslog to receive and process the logs (CrowdSec's built-in syslog acquisition doesn't support CEF format). + +Create a configuration file `/etc/rsyslog.d/unifi-cef.conf`: + +```bash +module(load="imudp") +input(type="imudp" port="4242") +# Template to extract only CEF message content (no syslog headers) +template(name="CEF" type="string" string="%msg%\n") + +# Template for standard syslog format (preserves full syslog structure) +template(name="Syslog" type="string" string="%timegenerated% %hostname% %syslogtag%%msg%\n") + +$AllowedSender UDP, 192.168.1.0/24, 192.168.11.1/32 + +# Rules for UniFi devices +if $fromhost-ip != '127.0.0.1' then { + # Check if message starts with CEF + if $msg startswith 'CEF' then { + # CEF messages go to unifi-cef.log + action(type="omfile" file="/var/log/unifi-cef.log" template="CEF") + } else { + # Non-CEF syslog messages go to unifi-syslog.log + action(type="omfile" file="/var/log/unifi-syslog.log" template="Syslog") + } + stop +} +``` + +Restart rsyslog after configuration: +```bash +sudo systemctl restart rsyslog +``` + +Verify UDP port is listening: +```bash +sudo netstat -uln | grep 4242 +``` + +#### Log Rotation Configuration + +To prevent log files from growing too large, configure logrotate for both CEF and syslog files. Create `/etc/logrotate.d/unifi`: + +```bash +/var/log/unifi-cef.log /var/log/unifi-syslog.log { + daily + rotate 7 + compress + delaycompress + missingok + notifempty + postrotate + systemctl reload rsyslog >/dev/null 2>&1 || true + endscript +} +``` + +This configuration will: +- Rotate logs daily +- Keep 7 days of logs +- Compress rotated logs +- Reload rsyslog after rotation + +Test the logrotate configuration: +```bash +sudo logrotate -d /etc/logrotate.d/unifi +``` + +And run it manually if needed: +```bash +sudo logrotate -f /etc/logrotate.d/unifi +``` + +#### CEF Acquisition Template + +Example acquisition for CEF logs (recommended for security monitoring): + +```yaml +--- +filenames: + - /var/log/unifi-cef.log +labels: + type: cef +``` + +Optional: If you also want to monitor non-CEF syslog messages from UniFi devices: + +```yaml +--- +filenames: + - /var/log/unifi-syslog.log +labels: + type: unifi +``` + +## Standard Syslog Support + +For basic syslog support (non-CEF format), use CrowdSec's built-in syslog acquisition: ```yaml source: syslog @@ -19,6 +136,36 @@ labels: type: unifi ``` +**Notes:** +- While the unifi gear uses syslog to send the logs, the format is non-compliant with the RFC, so you need to set the type to `unifi` +- CEF format is recommended for security monitoring as it provides structured data with rich metadata + +## Supported Event Types + +This collection handles multiple types of UniFi events: + +### CEF Format Events +- **Admin Events**: Login attempts, configuration changes, device management +- **Security Events**: IPS alerts, blocked connections, threat detection + +All CEF events include rich metadata such as device information, source/destination details, and UniFi-specific context. -notes : - - While the unifi gear uses syslog to send the logs, the format is non-compliant with the RFC, so you need to set the type to `unifi` +### Standard Syslog Events +- General device logs and system messages +- Basic connectivity and operational events + +## Testing the Configuration + +After setup, test that logs are being received and properly processed: + +```bash +# Send a test CEF message (if using CEF format) +echo "CEF:0|Test|Test|1.0|TEST|Test Event|5|src=192.168.1.100" | nc -u -w1 localhost 4242 + +# Send a test syslog message +echo "test syslog message from unifi device" | nc -u -w1 localhost 4242 + +# Check that messages are being logged +tail -f /var/log/unifi-cef.log +tail -f /var/log/unifi-syslog.log +``` diff --git a/collections/crowdsecurity/unifi.yaml b/collections/crowdsecurity/unifi.yaml index 2591c7f6680..edcbe20c9a9 100644 --- a/collections/crowdsecurity/unifi.yaml +++ b/collections/crowdsecurity/unifi.yaml @@ -1,11 +1,13 @@ parsers: - crowdsecurity/unifi-logs + - crowdsecurity/cef-logs + - crowdsecurity/unifi-cef - crowdsecurity/dropbear-logs scenarios: - crowdsecurity/ssh-bf collections: - crowdsecurity/iptables -description: "Unifi support: syslog parser + port scan + SSH BF detection" +description: "Unifi support: syslog + CEF parsers + port scan + SSH BF detection" author: crowdsecurity tags: - unifi @@ -13,3 +15,4 @@ tags: - bruteforce - dropbear - portscan + - cef From db36da23f2dcf8cf05d6325062f345ad06a9470b Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 4 Sep 2025 15:11:39 +0100 Subject: [PATCH 08/11] enhance: better rsyslog configuration --- collections/crowdsecurity/unifi.md | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/collections/crowdsecurity/unifi.md b/collections/crowdsecurity/unifi.md index 9ceececb6ff..e9091a4cfbf 100644 --- a/collections/crowdsecurity/unifi.md +++ b/collections/crowdsecurity/unifi.md @@ -35,27 +35,31 @@ Create a configuration file `/etc/rsyslog.d/unifi-cef.conf`: ```bash module(load="imudp") -input(type="imudp" port="4242") -# Template to extract only CEF message content (no syslog headers) -template(name="CEF" type="string" string="%msg%\n") - -# Template for standard syslog format (preserves full syslog structure) -template(name="Syslog" type="string" string="%timegenerated% %hostname% %syslogtag%%msg%\n") +# Only allow your senders (legacy-style; applies to all UDP inputs) $AllowedSender UDP, 192.168.1.0/24, 192.168.11.1/32 -# Rules for UniFi devices -if $fromhost-ip != '127.0.0.1' then { - # Check if message starts with CEF - if $msg startswith 'CEF' then { - # CEF messages go to unifi-cef.log +# Templates +template(name="CEF" type="string" string="%msg%\n") +template(name="Syslog" type="string" string="%timegenerated% %hostname% %programname%[%procid%]: %msg%\n") + +# Bind the UDP/4242 input to a ruleset so only those messages hit the UniFi actions +input( + type="imudp" + name="unifi_in" + port="4242" + ruleset="unifi" +) + +ruleset(name="unifi") { + if $msg startswith "CEF:" then { action(type="omfile" file="/var/log/unifi-cef.log" template="CEF") } else { - # Non-CEF syslog messages go to unifi-syslog.log action(type="omfile" file="/var/log/unifi-syslog.log" template="Syslog") } stop } + ``` Restart rsyslog after configuration: From 24eae22778b09c527f4714fa1596c7079b2d610f Mon Sep 17 00:00:00 2001 From: Laurence Date: Fri, 5 Sep 2025 08:18:14 +0100 Subject: [PATCH 09/11] enhance: Add utc timestamp to security and update other files --- .tests/unifi-cef/cef-logs.log | 2 +- .tests/unifi-cef/config.yaml | 1 + .tests/unifi-cef/parser.assert | 122 +++++++++++++++--- collections/crowdsecurity/unifi.md | 2 +- parsers/s01-parse/crowdsecurity/unifi-cef.md | 4 +- .../s01-parse/crowdsecurity/unifi-cef.yaml | 8 +- 6 files changed, 116 insertions(+), 23 deletions(-) diff --git a/.tests/unifi-cef/cef-logs.log b/.tests/unifi-cef/cef-logs.log index 8186bc65796..e107975b9ea 100644 --- a/.tests/unifi-cef/cef-logs.log +++ b/.tests/unifi-cef/cef-logs.log @@ -1,2 +1,2 @@ CEF:0|Ubiquiti|UniFi Network|9.4.19|544|Admin Accessed UniFi Network|1|UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222 -0|Ubiquiti|UniFi Network|9.3.45|201|Threat Detected and Blocked|7|proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked. +0|Ubiquiti|UniFi Network|9.4.19|201|Threat Detected and Blocked|7|proto=TCP src=10.0.0.100 spt=52331 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.3.9 UNIFIrisk=medium UNIFIipsSessionId=54725290909450 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 UNIFIutcTime=2025-08-30T17:53:21.915Z msg=A network intrusion attempt has been detected and blocked. diff --git a/.tests/unifi-cef/config.yaml b/.tests/unifi-cef/config.yaml index be4e2fcf736..9b4ae65df12 100644 --- a/.tests/unifi-cef/config.yaml +++ b/.tests/unifi-cef/config.yaml @@ -1,6 +1,7 @@ parsers: - ./parsers/s00-raw/crowdsecurity/cef-logs.yaml - ./parsers/s01-parse/crowdsecurity/unifi-cef.yaml +- crowdsecurity/dateparse-enrich scenarios: - "" postoverflows: diff --git a/.tests/unifi-cef/parser.assert b/.tests/unifi-cef/parser.assert index 24e824968f9..648996335f9 100644 --- a/.tests/unifi-cef/parser.assert +++ b/.tests/unifi-cef/parser.assert @@ -1,4 +1,4 @@ -len(results) == 3 +len(results) == 4 len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 2 results["s00-raw"]["crowdsecurity/cef-logs"][0].Success == true results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" @@ -16,12 +16,12 @@ results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/cef-logs"][1].Success == true results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_version"] == "9.3.45" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_version"] == "9.4.19" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_severity"] == "7" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_signature_id"] == "201" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_version"] == "0" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "proto=TCP src=10.0.0.100 spt=52331 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.3.9 UNIFIrisk=medium UNIFIipsSessionId=54725290909450 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 UNIFIutcTime=2025-08-30T17:53:21.915Z msg=A network intrusion attempt has been detected and blocked." results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["program"] == "Ubiquiti" basename(results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_type"] == "file" @@ -57,59 +57,149 @@ results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["product"] == "UniFi results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["service"] == "unifi" results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["source_ip"] == "10.72.1.222" results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["subcategory"] == "Admin" -results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["timestamp"] == "2025-09-04T08:32:58.445Z" results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Meta["vendor"] == "Ubiquiti" results["s01-parse"]["crowdsecurity/unifi-cef"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/unifi-cef"][1].Success == true results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_version"] == "9.3.45" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_device_version"] == "9.4.19" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_severity"] == "7" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_signature_id"] == "201" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["cef_version"] == "0" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_ip"] == "192.168.0.233" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_port"] == "80" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["dst_port"] == "443" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["message"] == "proto=TCP src=10.0.0.100 spt=52331 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.3.9 UNIFIrisk=medium UNIFIipsSessionId=54725290909450 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 UNIFIutcTime=2025-08-30T17:53:21.915Z msg=A network intrusion attempt has been detected and blocked." results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["program"] == "Ubiquiti" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["protocol"] == "TCP" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_ip"] == "192.168.0.1" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_port"] == "54587" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_ip"] == "10.0.0.100" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["src_port"] == "52331" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_category"] == "Security" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_ip"] == "192.168.0.1" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_mac"] == "84:78:48:80:0d:86" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_model"] == "UX7" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_name"] == "Express 7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_version"] == "4.2.15" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_device_version"] == "4.3.9" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_host"] == "Express 7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_session_id"] == "2138629792252828" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_session_id"] == "54725290909450" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_signature"] == "ET DROP Dshield Block Listed Source group 1" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_ips_signature_id"] == "2402000" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_risk"] == "medium" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_subcategory"] == "Intrusion Prevention" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Parsed["unifi_utc_time"] == "2025-08-30T17:53:21.915Z" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["category"] == "Security" basename(results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_ip"] == "192.168.0.233" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_port"] == "80" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["destination_port"] == "443" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_ip"] == "192.168.0.1" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_mac"] == "84:78:48:80:0d:86" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_model"] == "UX7" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_name"] == "Express 7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_version"] == "9.3.45" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["device_version"] == "9.4.19" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["event_severity"] == "7" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["event_signature_id"] == "201" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["host"] == "Express 7" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_session_id"] == "2138629792252828" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_session_id"] == "54725290909450" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_signature"] == "ET DROP Dshield Block Listed Source group 1" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["ips_signature_id"] == "2402000" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["product"] == "UniFi Network" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["protocol"] == "TCP" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["risk_level"] == "medium" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["service"] == "unifi" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_ip"] == "192.168.0.1" -results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_port"] == "54587" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_ip"] == "10.0.0.100" +results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["source_port"] == "52331" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["subcategory"] == "Intrusion Prevention" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Meta["vendor"] == "Ubiquiti" results["s01-parse"]["crowdsecurity/unifi-cef"][1].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cef_severity"] == "1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cef_signature_id"] == "544" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["cef_version"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "Ubiquiti" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["src_ip"] == "10.72.1.222" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["unifi_access_method"] == "web" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["unifi_admin"] == "Secure Admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["unifi_category"] == "System" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["unifi_host"] == "Unifi Dream Machine" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["unifi_subcategory"] == "Admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["unifi_utc_time"] == "2025-09-04T08:32:58.445Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["access_method"] == "web" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["admin_user"] == "Secure Admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["category"] == "System" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["device_version"] == "9.4.19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["event_severity"] == "1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["event_signature_id"] == "544" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["host"] == "Unifi Dream Machine" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["product"] == "UniFi Network" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "unifi" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "10.72.1.222" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["subcategory"] == "Admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-09-04T08:32:58.445Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["vendor"] == "Ubiquiti" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-09-04T08:32:58.445Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cef_severity"] == "7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cef_signature_id"] == "201" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["cef_version"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["dst_ip"] == "192.168.0.233" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["dst_port"] == "443" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "proto=TCP src=10.0.0.100 spt=52331 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.3.9 UNIFIrisk=medium UNIFIipsSessionId=54725290909450 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 UNIFIutcTime=2025-08-30T17:53:21.915Z msg=A network intrusion attempt has been detected and blocked." +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "Ubiquiti" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["protocol"] == "TCP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["src_ip"] == "10.0.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["src_port"] == "52331" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_category"] == "Security" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_device_ip"] == "192.168.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_device_mac"] == "84:78:48:80:0d:86" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_device_model"] == "UX7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_device_name"] == "Express 7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_device_version"] == "4.3.9" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_host"] == "Express 7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_ips_session_id"] == "54725290909450" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_ips_signature"] == "ET DROP Dshield Block Listed Source group 1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_ips_signature_id"] == "2402000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_risk"] == "medium" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_subcategory"] == "Intrusion Prevention" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["unifi_utc_time"] == "2025-08-30T17:53:21.915Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["category"] == "Security" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["destination_ip"] == "192.168.0.233" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["destination_port"] == "443" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["device_ip"] == "192.168.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["device_mac"] == "84:78:48:80:0d:86" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["device_model"] == "UX7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["device_name"] == "Express 7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["device_version"] == "9.4.19" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["event_severity"] == "7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["event_signature_id"] == "201" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["host"] == "Express 7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["ips_session_id"] == "54725290909450" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["ips_signature"] == "ET DROP Dshield Block Listed Source group 1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["ips_signature_id"] == "2402000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["product"] == "UniFi Network" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["protocol"] == "TCP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["risk_level"] == "medium" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "unifi" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "10.0.0.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_port"] == "52331" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["subcategory"] == "Intrusion Prevention" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-08-30T17:53:21.915Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["vendor"] == "Ubiquiti" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-08-30T17:53:21.915Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/collections/crowdsecurity/unifi.md b/collections/crowdsecurity/unifi.md index e9091a4cfbf..c0bf4175e42 100644 --- a/collections/crowdsecurity/unifi.md +++ b/collections/crowdsecurity/unifi.md @@ -164,7 +164,7 @@ After setup, test that logs are being received and properly processed: ```bash # Send a test CEF message (if using CEF format) -echo "CEF:0|Test|Test|1.0|TEST|Test Event|5|src=192.168.1.100" | nc -u -w1 localhost 4242 +echo "CEF:0|Ubiquiti|UniFi Network|9.4.19|201|Threat Detected and Blocked|7|proto=TCP src=10.0.0.100 spt=52331 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.3.9 UNIFIrisk=medium UNIFIipsSessionId=54725290909450 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 UNIFIutcTime=2025-08-30T17:53:21.915Z msg=A network intrusion attempt has been detected and blocked." | nc -u -w1 localhost 4242 # Send a test syslog message echo "test syslog message from unifi device" | nc -u -w1 localhost 4242 diff --git a/parsers/s01-parse/crowdsecurity/unifi-cef.md b/parsers/s01-parse/crowdsecurity/unifi-cef.md index 6b443e419c9..1e214754269 100644 --- a/parsers/s01-parse/crowdsecurity/unifi-cef.md +++ b/parsers/s01-parse/crowdsecurity/unifi-cef.md @@ -21,7 +21,7 @@ The parser uses a single configuration with two grok patterns, each optimized fo #### Admin/System Events Pattern matches logs like: ``` -UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=... +UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=192.168.1.100 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=... ``` **Admin pattern extracts and sets:** @@ -33,7 +33,7 @@ UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIa #### Security/Threat Events Pattern matches logs like: ``` -proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=... msg=... +proto=TCP src=10.0.0.100 spt=54587 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.3.9 UNIFIrisk=medium UNIFIipsSessionId=54725290909450 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 UNIFIutcTime=2025-08-30T17:53:21.915Z msg=A network intrusion attempt has been detected and blocked. ``` **Security pattern extracts and sets:** diff --git a/parsers/s01-parse/crowdsecurity/unifi-cef.yaml b/parsers/s01-parse/crowdsecurity/unifi-cef.yaml index d5704c637e1..4b496406a7e 100644 --- a/parsers/s01-parse/crowdsecurity/unifi-cef.yaml +++ b/parsers/s01-parse/crowdsecurity/unifi-cef.yaml @@ -4,7 +4,7 @@ name: crowdsecurity/unifi-cef description: "Parse Unifi CEF logs" pattern_syntax: UNIFI_ADMIN_PATTERN: 'UNIFIcategory=(%{DATA:unifi_category}) UNIFIsubCategory=(%{DATA:unifi_subcategory}) UNIFIhost=(%{DATA:unifi_host}) UNIFIaccessMethod=(%{DATA:unifi_access_method}) UNIFIadmin=(%{DATA:unifi_admin}) src=(%{IP:src_ip}) UNIFIutcTime=(%{DATA:unifi_utc_time}) msg=(%{DATA:msg})' - UNIFI_SECURITY_PATTERN: 'proto=(%{WORD:protocol}) src=(%{IP:src_ip}) spt=(%{INT:src_port}) dst=(%{IP:dst_ip}) dpt=(%{INT:dst_port}) UNIFIcategory=(%{DATA:unifi_category}) UNIFIsubCategory=(%{DATA:unifi_subcategory}) UNIFIhost=(%{DATA:unifi_host}) UNIFIdeviceMac=(%{DATA:unifi_device_mac}) UNIFIdeviceName=(%{DATA:unifi_device_name}) UNIFIdeviceModel=(%{DATA:unifi_device_model}) UNIFIdeviceIp=(%{IP:unifi_device_ip}) UNIFIdeviceVersion=(%{DATA:unifi_device_version}) UNIFIrisk=(%{DATA:unifi_risk}) UNIFIipsSessionId=(%{DATA:unifi_ips_session_id}) UNIFIipsSignature=(%{DATA:unifi_ips_signature}) UNIFIipsSignatureId=(%{DATA:unifi_ips_signature_id}) msg=(%{DATA:msg})' + UNIFI_SECURITY_PATTERN: 'proto=(%{WORD:protocol}) src=(%{IP:src_ip}) spt=(%{INT:src_port}) dst=(%{IP:dst_ip}) dpt=(%{INT:dst_port}) UNIFIcategory=(%{DATA:unifi_category}) UNIFIsubCategory=(%{DATA:unifi_subcategory}) UNIFIhost=(%{DATA:unifi_host}) UNIFIdeviceMac=(%{DATA:unifi_device_mac}) UNIFIdeviceName=(%{DATA:unifi_device_name}) UNIFIdeviceModel=(%{DATA:unifi_device_model}) UNIFIdeviceIp=(%{IP:unifi_device_ip}) UNIFIdeviceVersion=(%{DATA:unifi_device_version}) UNIFIrisk=(%{DATA:unifi_risk}) UNIFIipsSessionId=(%{DATA:unifi_ips_session_id}) UNIFIipsSignature=(%{DATA:unifi_ips_signature}) UNIFIipsSignatureId=(%{DATA:unifi_ips_signature_id}) UNIFIutcTime=(%{DATA:unifi_utc_time}) msg=(%{DATA:msg})' nodes: - grok: pattern: '%{UNIFI_ADMIN_PATTERN}' @@ -34,10 +34,10 @@ nodes: expression: evt.Parsed.cef_severity - meta: event_signature_id expression: evt.Parsed.cef_signature_id - - meta: timestamp - expression: evt.Parsed.unifi_utc_time - meta: message expression: evt.Parsed.msg + - target: evt.StrTime + expression: evt.Parsed.unifi_utc_time - grok: pattern: '%{UNIFI_SECURITY_PATTERN}' apply_on: message @@ -88,3 +88,5 @@ nodes: expression: evt.Parsed.dst_port - meta: message expression: evt.Parsed.msg + - target: evt.StrTime + expression: evt.Parsed.unifi_utc_time From 2cadc0bcedf22bd93585f64738662d01a96f7cd2 Mon Sep 17 00:00:00 2001 From: Laurence Date: Mon, 8 Sep 2025 08:07:21 +0100 Subject: [PATCH 10/11] enhance: Unifi puts a space between cef: and the version, add an optional space between them yay... --- .tests/cef-logs/cef-logs.log | 1 + .tests/cef-logs/parser.assert | 25 ++++++++++++++++----- parsers/s00-raw/crowdsecurity/cef-logs.yaml | 2 +- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/.tests/cef-logs/cef-logs.log b/.tests/cef-logs/cef-logs.log index 8186bc65796..f246deb28e9 100644 --- a/.tests/cef-logs/cef-logs.log +++ b/.tests/cef-logs/cef-logs.log @@ -1,2 +1,3 @@ CEF:0|Ubiquiti|UniFi Network|9.4.19|544|Admin Accessed UniFi Network|1|UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222 +CEF: 0|Ubiquiti|UniFi Network|9.4.19|544|Admin Accessed UniFi Network|1|UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222 0|Ubiquiti|UniFi Network|9.3.45|201|Threat Detected and Blocked|7|proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked. diff --git a/.tests/cef-logs/parser.assert b/.tests/cef-logs/parser.assert index 645a3086d46..09527b08a4e 100644 --- a/.tests/cef-logs/parser.assert +++ b/.tests/cef-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 2 -len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 2 +len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 3 results["s00-raw"]["crowdsecurity/cef-logs"][0].Success == true results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" @@ -16,14 +16,27 @@ results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/cef-logs"][1].Success == true results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_product"] == "UniFi Network" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_version"] == "9.3.45" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_severity"] == "7" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_signature_id"] == "201" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_event_name"] == "Admin Accessed UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_severity"] == "1" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_signature_id"] == "544" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_version"] == "0" -results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["program"] == "Ubiquiti" basename(results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cef-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_device_version"] == "9.3.45" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_severity"] == "7" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_signature_id"] == "201" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["program"] == "Ubiquiti" +basename(results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/parsers/s00-raw/crowdsecurity/cef-logs.yaml b/parsers/s00-raw/crowdsecurity/cef-logs.yaml index 04238b4c501..1c7ad4614c1 100644 --- a/parsers/s00-raw/crowdsecurity/cef-logs.yaml +++ b/parsers/s00-raw/crowdsecurity/cef-logs.yaml @@ -1,7 +1,7 @@ filter: "evt.Line.Labels.type == 'cef'" onsuccess: next_stage pattern_syntax: - CEF_HEADER: '(CEF:)?%{INT:cef_version}\|%{DATA:cef_device_vendor}\|%{DATA:cef_device_product}\|%{DATA:cef_device_version}\|%{DATA:cef_signature_id}\|%{DATA:cef_event_name}\|%{INT:cef_severity}' + CEF_HEADER: '(CEF:)?%{SPACE}?%{INT:cef_version}\|%{DATA:cef_device_vendor}\|%{DATA:cef_device_product}\|%{DATA:cef_device_version}\|%{DATA:cef_signature_id}\|%{DATA:cef_event_name}\|%{INT:cef_severity}' name: crowdsecurity/cef-logs description: CEF (Common Event Format) logs parser nodes: From 4b73a7d7da7b57c642f07a39ed2833005e5ebc44 Mon Sep 17 00:00:00 2001 From: Laurence Date: Mon, 8 Sep 2025 08:16:14 +0100 Subject: [PATCH 11/11] enhance: Add optional syslog headers to CEF incase of not stripping syslog headers --- .tests/cef-logs/cef-logs.log | 1 + .tests/cef-logs/parser.assert | 21 ++++++++++++++++++++- parsers/s00-raw/crowdsecurity/cef-logs.yaml | 12 ++++++++++-- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/.tests/cef-logs/cef-logs.log b/.tests/cef-logs/cef-logs.log index f246deb28e9..da6a4504e84 100644 --- a/.tests/cef-logs/cef-logs.log +++ b/.tests/cef-logs/cef-logs.log @@ -1,3 +1,4 @@ CEF:0|Ubiquiti|UniFi Network|9.4.19|544|Admin Accessed UniFi Network|1|UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222 CEF: 0|Ubiquiti|UniFi Network|9.4.19|544|Admin Accessed UniFi Network|1|UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222 0|Ubiquiti|UniFi Network|9.3.45|201|Threat Detected and Blocked|7|proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked. +Sep 8 08:32:20 UDM-Gent CEF: 0|Ubiquiti|UniFi Network|9.4.19|201|Threat Detected and Blocked|9|proto=TCP src=192.168.100.252 spt=65020 dst=192.168.1.100 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=UDM-Gent UNIFIsite=UDM-Gent UNIFIdeviceMac=78:45:58:de:fc:e7 UNIFIdeviceName=UDM-Gent UNIFIdeviceModel=UDM UNIFIdeviceIp=192.168.100.1 UNIFIdeviceVersion=4.4.0 UNIFIrisk=high UNIFIipsSessionId=1328559940562927 UNIFIipsSignature=ET USER_AGENTS Suspicious User Agent (BlackSun) UNIFIipsSignatureId=2008983 UNIFIutcTime=2025-09-08T06:32:20.613Z msg=A network intrusion attempt from Desktop d5:5d to 192.168.1.100 has been detected and blocked. diff --git a/.tests/cef-logs/parser.assert b/.tests/cef-logs/parser.assert index 09527b08a4e..4b1b0fee34c 100644 --- a/.tests/cef-logs/parser.assert +++ b/.tests/cef-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 2 -len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 3 +len(results["s00-raw"]["crowdsecurity/cef-logs"]) == 4 results["s00-raw"]["crowdsecurity/cef-logs"][0].Success == true results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_product"] == "UniFi Network" results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" @@ -8,6 +8,7 @@ results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_event_name"] == results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_severity"] == "1" results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_signature_id"] == "544" results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["logsource"] == "cef" results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Parsed["program"] == "Ubiquiti" basename(results["s00-raw"]["crowdsecurity/cef-logs"][0].Evt.Meta["datasource_path"]) == "cef-logs.log" @@ -21,6 +22,7 @@ results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_event_name"] == results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_severity"] == "1" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_signature_id"] == "544" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["logsource"] == "cef" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["message"] == "UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=10.72.1.222 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=Secure Admin accessed UniFi Network using the web. Source IP: 10.72.1.222" results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Parsed["program"] == "Ubiquiti" basename(results["s00-raw"]["crowdsecurity/cef-logs"][1].Evt.Meta["datasource_path"]) == "cef-logs.log" @@ -34,9 +36,26 @@ results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_event_name"] == results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_severity"] == "7" results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_signature_id"] == "201" results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["logsource"] == "cef" results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["message"] == "proto=TCP src=192.168.0.1 spt=54587 dst=192.168.0.233 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.2.15 UNIFIrisk=medium UNIFIipsSessionId=2138629792252828 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt from 192.168.0.1 to DS920+ macvlan has been detected and blocked." results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Parsed["program"] == "Ubiquiti" basename(results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Meta["datasource_path"]) == "cef-logs.log" results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/cef-logs"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/cef-logs"][3].Success == true +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["cef_device_product"] == "UniFi Network" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["cef_device_vendor"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["cef_device_version"] == "9.4.19" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["cef_event_name"] == "Threat Detected and Blocked" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["cef_severity"] == "9" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["cef_signature_id"] == "201" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["cef_version"] == "0" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["hostname"] == "UDM-Gent" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["logsource"] == "cef" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["message"] == "proto=TCP src=192.168.100.252 spt=65020 dst=192.168.1.100 dpt=80 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=UDM-Gent UNIFIsite=UDM-Gent UNIFIdeviceMac=78:45:58:de:fc:e7 UNIFIdeviceName=UDM-Gent UNIFIdeviceModel=UDM UNIFIdeviceIp=192.168.100.1 UNIFIdeviceVersion=4.4.0 UNIFIrisk=high UNIFIipsSessionId=1328559940562927 UNIFIipsSignature=ET USER_AGENTS Suspicious User Agent (BlackSun) UNIFIipsSignatureId=2008983 UNIFIutcTime=2025-09-08T06:32:20.613Z msg=A network intrusion attempt from Desktop d5:5d to 192.168.1.100 has been detected and blocked." +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["program"] == "Ubiquiti" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Parsed["timestamp"] == "Sep 8 08:32:20" +basename(results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Meta["datasource_path"]) == "cef-logs.log" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/cef-logs"][3].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/parsers/s00-raw/crowdsecurity/cef-logs.yaml b/parsers/s00-raw/crowdsecurity/cef-logs.yaml index 1c7ad4614c1..10c4b3ecfd0 100644 --- a/parsers/s00-raw/crowdsecurity/cef-logs.yaml +++ b/parsers/s00-raw/crowdsecurity/cef-logs.yaml @@ -1,16 +1,24 @@ filter: "evt.Line.Labels.type == 'cef'" onsuccess: next_stage pattern_syntax: - CEF_HEADER: '(CEF:)?%{SPACE}?%{INT:cef_version}\|%{DATA:cef_device_vendor}\|%{DATA:cef_device_product}\|%{DATA:cef_device_version}\|%{DATA:cef_signature_id}\|%{DATA:cef_event_name}\|%{INT:cef_severity}' + CEF_HEADER: '(CEF:)?%{SPACE}%{INT:cef_version}\|%{DATA:cef_device_vendor}\|%{DATA:cef_device_product}\|%{DATA:cef_device_version}\|%{DATA:cef_signature_id}\|%{DATA:cef_event_name}\|%{INT:cef_severity}' + CEF_SYSLOG_OPTIONAL: '(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601})(?: %{DATA:hostname})? ?' name: crowdsecurity/cef-logs description: CEF (Common Event Format) logs parser nodes: - grok: - pattern: "^%{CEF_HEADER}%{SPACE}\\|?%{GREEDYDATA:message}" + pattern: "^%{CEF_SYSLOG_OPTIONAL}?%{CEF_HEADER}%{SPACE}\\|?%{GREEDYDATA:message}" apply_on: Line.Raw statics: - parsed: "program" expression: evt.Parsed.cef_device_vendor + - parsed: "logsource" + value: "cef" + # syslog timestamp can be in two different fields (one of the assignment will fail) + - target: evt.StrTime + expression: evt.Parsed.timestamp + - target: evt.StrTime + expression: evt.Parsed.timestamp8601 - meta: datasource_path expression: evt.Line.Src - meta: datasource_type