Documentation
¶
Overview ¶
Package umbrellalogs provides parsers for Cisco Umbrella logs
Index ¶
Constants ¶
View Source
const ( TypeDNS = `CiscoUmbrella.DNS` TypeCloudFirewall = `CiscoUmbrella.CloudFirewall` TypeIP = `CiscoUmbrella.IP` TypeProxy = `CiscoUmbrella.Proxy` )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CloudFirewall ¶
type CloudFirewall struct {
Timestamp timestamp.RFC3339 `json:"timestamp" validate:"required" description:"The timestamp of the request transaction in UTC (2015-01-16 17:48:41)."`
OriginID string `json:"originId,omitempty" description:"The unique identity of the network tunnel."`
Identity string `json:"identity,omitempty" description:"The name of the network tunnel."`
IdentityType string `` /* 126-byte string literal not displayed */
Direction string `` /* 142-byte string literal not displayed */
IPProtocol uint16 `json:"ipProtocol" description:"The actual IP protocol of the traffic. It could be TCP, UDP, ICMP."`
PacketSize uint16 `json:"packetSize,omitempty" description:"The size of the packet that Umbrella CDFW received."`
SourceIP string `` /* 199-byte string literal not displayed */
SourcePort uint16 `json:"sourcePort,omitempty" description:"The internal port number of the user-generated traffic towards the CDFW."`
DestinationIP string `json:"destinationIp,omitempty" description:"The destination IP address of the user-generated traffic towards the CDFW."`
DestinationPort uint16 `json:"destinationPort,omitempty" description:"The destination port number of the user-generated traffic towards the CDFW."`
DataCenter string `json:"dataCenter,omitempty" description:"The name of the Umbrella Data Center that processed the user-generated traffic."`
RuleID string `json:"ruleId,omitempty" description:"The ID of the rule that processed the user traffic."`
Verdict string `json:"verdict,omitempty" description:"The final verdict whether to allow or block the traffic based on the rule."`
parsers.PantherLog
}
nolint:lll,maligned
type CloudFirewallParser ¶
type CloudFirewallParser struct {
*csvstream.StreamingCSVReader
}
func NewCloudFirewallParser ¶
func NewCloudFirewallParser() *CloudFirewallParser
func (*CloudFirewallParser) LogType ¶
func (p *CloudFirewallParser) LogType() string
func (*CloudFirewallParser) New ¶
func (p *CloudFirewallParser) New() parsers.LogParser
func (*CloudFirewallParser) Parse ¶
func (p *CloudFirewallParser) Parse(log string) ([]*parsers.PantherLog, error)
type DNS ¶
type DNS struct {
Timestamp timestamp.RFC3339 `` /* 185-byte string literal not displayed */
PolicyIdentity string `json:"policyIdentity,omitempty" description:"The first identity that matched the request."`
Identities []string `json:"identities,omitempty" description:"All identities associated with this request."`
InternalIP string `json:"internalIp,omitempty" description:"The internal IP address that made the request."`
ExternalIP string `json:"externalIp,omitempty" description:"The external IP address that made the request."`
Action string `json:"action,omitempty" description:"Whether the request was allowed or blocked."`
QueryType string `` /* 131-byte string literal not displayed */
ResponseCode string `` /* 167-byte string literal not displayed */
Domain string `json:"domain,omitempty" description:"The domain that was requested."`
Categories []string `json:"categories,omitempty" description:"The security or content categories that the destination matches."`
// V3
PolicyIdentityType string `` /* 134-byte string literal not displayed */
IdentityTypes []string `` /* 173-byte string literal not displayed */
// V4
BlockedCategories []string `` /* 145-byte string literal not displayed */
parsers.PantherLog
}
nolint:lll
type DNSParser ¶
type DNSParser struct {
*csvstream.StreamingCSVReader
}
func NewDNSParser ¶
func NewDNSParser() *DNSParser
type IP ¶
type IP struct {
Timestamp timestamp.RFC3339 `json:"timestamp" validate:"required" description:"The timestamp of the request transaction in UTC (2015-01-16 17:48:41)."`
Identity string `json:"identity,omitempty" description:"The first identity that matched the request."`
SourceIP string `json:"sourceIp,omitempty" description:"The IP of the computer making the request."`
SourcePort uint16 `json:"sourcePort,omitempty" description:"The port the request was made on."`
DestinationIP string `json:"destinationIp,omitempty" description:"The destination IP requested."`
DestinationPort uint16 `json:"destinationPort,omitempty" description:"The destination port the request was made on."`
Categories []string `` /* 135-byte string literal not displayed */
// Undocumented field
IdentityTypes []string `` /* 173-byte string literal not displayed */
parsers.PantherLog
}
type IPParser ¶
type IPParser struct {
*csvstream.StreamingCSVReader
}
func NewIPParser ¶
func NewIPParser() *IPParser
type Proxy ¶
type Proxy struct {
Timestamp timestamp.RFC3339 `json:"timestamp" description:"The timestamp of the request transaction in UTC (2015-01-16 17:48:41)."`
Identity string `json:"identity,omitempty" description:"The first identity that matched the request."`
Identities []string `` /* 132-byte string literal not displayed */
InternalIP string `json:"internalIp,omitempty" description:"The internal IP address of the computer making the request."`
ExternalIP string `json:"externalIp,omitempty" description:"The egress IP address of the network where the request originated."`
DestinationIP string `json:"destinationIp,omitempty" description:"The destination IP address of the request."`
ContentType string `json:"contentType,omitempty" description:"The type of web content, typically text/html."`
Verdict string `json:"verdict,omitempty" description:"Whether the destination was blocked or allowed."`
URL string `json:"url,omitempty" description:"The URL requested."`
Referer string `json:"referrer,omitempty" description:"The referring domain or URL."`
UserAgent string `json:"userAgent,omitempty" description:"The browser agent that made the request."`
StatusCode int32 `json:"statusCode,omitempty" description:"The HTTP status code; should always be 200 or 201."`
RequestSize int64 `json:"requestSize,omitempty" description:"Request size in bytes."`
ResponseSize int64 `json:"responseSize,omitempty" description:"Response size in bytes."`
ResponseBodySize int64 `json:"responseBodySize,omitempty" description:"Response body size in bytes."`
SHA string `json:"sha,omitempty" description:"SHA256 hex digest of the response content."`
Categories []string `json:"categories,omitempty" description:"The security categories for this request, such as Malware."`
AVDetections []string `json:"avDetections,omitempty" description:"The detection name according to the antivirus engine used in file inspection."`
PUAs []string `` /* 155-byte string literal not displayed */
AMPDisposition string `` /* 217-byte string literal not displayed */
AMPMalwareName string `json:"ampMalwareName,omitempty" description:"If Malicious, the name of the malware according to AMP."`
AMPScore string `` /* 126-byte string literal not displayed */
// V3
IdentityType string `` /* 138-byte string literal not displayed */
// V4
BlockedCategories []string `` /* 145-byte string literal not displayed */
parsers.PantherLog
}
nolint:lll
type ProxyParser ¶
type ProxyParser struct {
*csvstream.StreamingCSVReader
}
func NewProxyParser ¶
func NewProxyParser() *ProxyParser
func (*ProxyParser) LogType ¶
func (p *ProxyParser) LogType() string
func (*ProxyParser) New ¶
func (p *ProxyParser) New() parsers.LogParser
func (*ProxyParser) Parse ¶
func (p *ProxyParser) Parse(log string) ([]*parsers.PantherLog, error)
Source Files
Click to show internal directories.
Click to hide internal directories.