Skip to content

Release/v10.9.6 #2105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kbayero merged 23 commits into from
May 26, 2026
Merged

Release/v10.9.6 #2105

Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
3173db0
feat(threatwinds): add ThreatWinds credentials section and parameters…
mjabascal10 Dec 19, 2025
b0ec2bd
ci: add ThreadWinds ingestion build job to deployment pipeline
JocLRojas Dec 23, 2025
40f1c14
feat: integrate ThreadWinds ingestion service into UTMStack installer
JocLRojas Dec 23, 2025
dee17eb
feat: integrate ThreadWinds threat intelligence platform
JocLRojas Dec 23, 2025
c7774b4
refactor: simplify PostgreSQL connection initialization in postgres_c…
JocLRojas Dec 23, 2025
72fcfb0
feat: add infinite retry mechanism for ThreadWinds registration
JocLRojas Dec 23, 2025
264e720
feat(threadwinds-ingestion): implement infinite retry with exponentia…
JocLRojas Dec 30, 2025
666ee1d
fix: refresh admin email on registration retry and improve logging
JocLRojas Jan 2, 2026
aabd05b
refactor: update ThreatWinds config parameter keys and add metadata f…
JocLRojas Jan 2, 2026
258b396
feat(threadwinds-ingestion): add AES decryption support for API secret
JocLRojas Jan 2, 2026
65078b7
feat(installer): add ENCRYPTION_KEY env var to threadwinds-ingestion …
JocLRojas Jan 2, 2026
c398e3e
refactor(threadwinds-ingestion): remove VisibleBy field from entity c…
JocLRojas Jan 5, 2026
fd242a8
refactor: sanitize sensitive data from log messages
JocLRojas Jan 8, 2026
ad0624b
refactor: simplify association rules and expand threat intelligence c…
JocLRojas Jan 9, 2026
ab16ad0
feat(threatwinds): add configuration parameters for ThreatWinds integ…
mjabascal10 Jan 12, 2026
263993a
chore: remove threadwinds-ingestion microservice
JocLRojas Jan 13, 2026
fdf03ea
ci: remove threadwinds-ingestion from deployment pipeline
JocLRojas Jan 13, 2026
ca99ad3
feat(installer): remove threadwinds-ingestion from stack configuration
JocLRojas Jan 13, 2026
15caafb
Revert "feat(threatwinds): add configuration parameters for ThreatWin…
mjabascal10 Jan 13, 2026
be9deff
Revert "feat(threatwinds): add ThreatWinds credentials section and pa…
mjabascal10 Jan 13, 2026
4a26bb9
Merge remote-tracking branch 'origin/release/v10.9.6' into release/v1…
mjabascal10 Jan 13, 2026
a611754
feat(filters/sophos_xg): add steps to accept new fields and version o…
JocLRojas May 15, 2026
9fe7a32
Merge remote-tracking branch 'origin/v10' into release/v10.9.6
JocLRojas May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
149 changes: 145 additions & 4 deletions filters/sophos/sophos_xg_firewall.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
filter {

# Sophos filter version 2.0.1
# Sophos filter version 2.1.0
# Based on https://docs.sophos.com/nsg/sophos-firewall/17.5/PDF/SFOS_Logfile_Guide_17.5.pdf
# and https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf
# and https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LogMessages.html
Expand Down Expand Up @@ -42,6 +42,7 @@ filter {
gsub => ["device_name", '"', ""]
gsub => ["log_type", '"', ""]
gsub => ["log_component", '"', ""]
gsub => ["log_id", '"', ""]
}
if [log_type] and ([log_type] == "Firewall" or [log_type] == "Content Filtering" or [log_type] == "Event"
or [log_type] == "WAF" or [log_type] == "System Health" or [log_type] == "IDP"
Expand Down Expand Up @@ -133,7 +134,7 @@ filter {
}
}

if [logx][sophos][device] and [logx][sophos][device] == "SFW" {
if [logx][sophos][device] {
if [msg] {
#Fields from Firewall log_type
grok {
Expand Down Expand Up @@ -227,11 +228,123 @@ filter {
]
}
}
# New XGS fields - Firewall rules
grok {
match => {
"msg" => [
"%{GREEDYDATA} fw_rule_name=%{QUOTEDSTRING:fw_rule_name} %{GREEDYDATA}"
]
}
}
grok {
match => {
"msg" => [
"%{GREEDYDATA} fw_rule_section=%{QUOTEDSTRING:fw_rule_section} %{GREEDYDATA}"
]
}
}
grok {
match => {
"msg" => [
"%{GREEDYDATA} nat_rule_name=%{QUOTEDSTRING:nat_rule_name} %{GREEDYDATA}"
]
}
}
# New XGS fields - SD-WAN profile request
grok {
match => {
"msg" => [
"%{GREEDYDATA} sdwan_profile_id_request=%{NUMBER:sdwan_profile_id_request} %{GREEDYDATA}"
]
}
}
grok {
match => {
"msg" => [
"%{GREEDYDATA} sdwan_profile_name_request=%{QUOTEDSTRING:sdwan_profile_name_request} %{GREEDYDATA}"
]
}
}
# New XGS fields - SD-WAN profile reply
grok {
match => {
"msg" => [
"%{GREEDYDATA} sdwan_profile_id_reply=%{NUMBER:sdwan_profile_id_reply} %{GREEDYDATA}"
]
}
}
grok {
match => {
"msg" => [
"%{GREEDYDATA} sdwan_profile_name_reply=%{QUOTEDSTRING:sdwan_profile_name_reply} %{GREEDYDATA}"
]
}
}
# New XGS fields - Gateway request
grok {
match => {
"msg" => [
"%{GREEDYDATA} gw_id_request=%{NUMBER:gw_id_request} %{GREEDYDATA}"
]
}
}
grok {
match => {
"msg" => [
"%{GREEDYDATA} gw_name_request=%{QUOTEDSTRING:gw_name_request} %{GREEDYDATA}"
]
}
}
# New XGS fields - Gateway reply
grok {
match => {
"msg" => [
"%{GREEDYDATA} gw_id_reply=%{NUMBER:gw_id_reply} %{GREEDYDATA}"
]
}
}
grok {
match => {
"msg" => [
"%{GREEDYDATA} gw_name_reply=%{QUOTEDSTRING:gw_name_reply} %{GREEDYDATA}"
]
}
}
# New XGS fields - SD-WAN route request
grok {
match => {
"msg" => [
"%{GREEDYDATA} sdwan_route_id_request=%{NUMBER:sdwan_route_id_request} %{GREEDYDATA}"
]
}
}
grok {
match => {
"msg" => [
"%{GREEDYDATA} sdwan_route_name_request=%{QUOTEDSTRING:sdwan_route_name_request} %{GREEDYDATA}"
]
}
}
# New XGS fields - SD-WAN route reply
grok {
match => {
"msg" => [
"%{GREEDYDATA} sdwan_route_id_reply=%{NUMBER:sdwan_route_id_reply} %{GREEDYDATA}"
]
}
}
grok {
match => {
"msg" => [
"%{GREEDYDATA} sdwan_route_name_reply=%{QUOTEDSTRING:sdwan_route_name_reply} %{GREEDYDATA}"
]
}
}
#1.3.7
grok {
match => {
"msg" => [
"%{GREEDYDATA} dst_mac=%{QUOTEDSTRING:dst_mac} %{GREEDYDATA}"
"%{GREEDYDATA} dst_mac=%{DATA:dst_mac} %{GREEDYDATA}"
]
}
}
Expand Down Expand Up @@ -305,7 +418,7 @@ filter {
grok {
match => {
"msg" => [
"%{GREEDYDATA} src_mac=%{QUOTEDSTRING:src_mac} %{GREEDYDATA}"
"%{GREEDYDATA} src_mac=%{DATA:src_mac} %{GREEDYDATA}"
]
}
}
Expand Down Expand Up @@ -534,6 +647,17 @@ filter {
#1.3.7
gsub => ["dst_mac", '"', ""]

#New XGS fields
gsub => ["fw_rule_name", '"', ""]
gsub => ["fw_rule_section", '"', ""]
gsub => ["nat_rule_name", '"', ""]
gsub => ["sdwan_profile_name_request", '"', ""]
gsub => ["sdwan_profile_name_reply", '"', ""]
gsub => ["gw_name_request", '"', ""]
gsub => ["gw_name_reply", '"', ""]
gsub => ["sdwan_route_name_request", '"', ""]
gsub => ["sdwan_route_name_reply", '"', ""]

#New fields from Content Filtering log_type
gsub => ["category", '"', ""]
gsub => ["category_type", '"', ""]
Expand Down Expand Up @@ -794,6 +918,23 @@ filter {
#1.3.7
rename => { "[dst_mac]" => "[logx][sophos][dst_mac]" }

#New XGS fields
rename => { "[fw_rule_name]" => "[logx][sophos][fw_rule_name]" }
rename => { "[fw_rule_section]" => "[logx][sophos][fw_rule_section]" }
rename => { "[nat_rule_name]" => "[logx][sophos][nat_rule_name]" }
rename => { "[sdwan_profile_id_request]" => "[logx][sophos][sdwan_profile_id_request]" }
rename => { "[sdwan_profile_name_request]" => "[logx][sophos][sdwan_profile_name_request]" }
rename => { "[sdwan_profile_id_reply]" => "[logx][sophos][sdwan_profile_id_reply]" }
rename => { "[sdwan_profile_name_reply]" => "[logx][sophos][sdwan_profile_name_reply]" }
rename => { "[gw_id_request]" => "[logx][sophos][gw_id_request]" }
rename => { "[gw_name_request]" => "[logx][sophos][gw_name_request]" }
rename => { "[gw_id_reply]" => "[logx][sophos][gw_id_reply]" }
rename => { "[gw_name_reply]" => "[logx][sophos][gw_name_reply]" }
rename => { "[sdwan_route_id_request]" => "[logx][sophos][sdwan_route_id_request]" }
rename => { "[sdwan_route_name_request]" => "[logx][sophos][sdwan_route_name_request]" }
rename => { "[sdwan_route_id_reply]" => "[logx][sophos][sdwan_route_id_reply]" }
rename => { "[sdwan_route_name_reply]" => "[logx][sophos][sdwan_route_name_reply]" }

#New fields from Content Filtering log_type
rename => { "[category]" => "[logx][sophos][category]" }
rename => { "[category_type]" => "[logx][sophos][category_type]" }
Expand Down
Loading