1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
use serde::{Deserialize, Serialize};
use super::auth::AuthEvent;
use super::dhcp::DhcpEvent;
use super::dns::DnsEvent;
use super::firewall::FirewallEvent;
use super::intrusion::IntrusionEvent;
use super::log::SiemLog;
use super::webproxy::WebProxyEvent;
use super::webserver::WebServerEvent;
#[derive(Serialize, Deserialize, Debug, Clone, Default)]
#[serde(tag = "event_type")]
pub enum SiemEvent {
/// Firewall events: connections between IPs, blocked connections...
Firewall(FirewallEvent),
/// Intrusion detection/protection systems. Ex: Suricata, Snort, OSSEC, Wazuh, NGFW...
Intrusion(IntrusionEvent),
/// Security related assessment, like the output of vulnerability scanners (Nessus) or policy enforcers (OpenSCAP). PulseSecure and Forescout can also get in this category.
Assessment,
/// Web Browsing Proxy
WebProxy(WebProxyEvent),
/// Web application servers, Adaptative Distribution Content or LoadBalancers for HTTP traffic.
///
///
/// Ex: Apache, Nginx, Tomact or IIS.
WebServer(WebServerEvent),
/// Like an antivirus, a Sandbox retrieves information about a file being malicious or not. Can be used
/// to extract filenames, hashes or other relevant information to update a dataset of known hashes and
/// trigger queries.
///
/// Ex: Wildfire, Mcafee ATD, Cuckoo...
Sandbox,
Antivirus,
/// Data Loss Prevention are devices that detect anomalous behavour related to
/// data exfiltration.
///
/// Ex: Boldon
DLP,
/// Some devices like email gateways generates a large number of logs when an email arrives: Header processing, AV scan, attachment information...
/// In those cases, each log is associated with an action using a trace ID or a transaction ID.
Partitioned,
/// Endpoint Detection and Response devices, also EPP.
EDR,
/// Mail events, as the name suggest are events generated by an email gateway. Can
/// contain threat related information if an anomaly was detected.
/// Note that some devices generate partitioned logs instead of Mail logs.
///
/// Ex: Microsoft Exchange, IronPort, Office 365...
Mail,
/// DNS requests events. To better correlate this type of events, be carefull of checking if it contains a dns_server
/// tag, because that means that the originator of the request is a Recursive DNS and not an endpoint. It normally
/// happens if the one generating the log was a firewall (Ex: Palo Alto) and not a DNS server, or if multiple DNS are
/// used in the organization, like a DNS talking to another DNS.
DNS(DnsEvent),
/// DHCP logs associating an IP with a MAC address.
DHCP(DhcpEvent),
/// Logs related to authentication, like a user trying to log in to a Router,
/// a server or any kind of system.
///
/// Ex: RDP, Windows, Linux, Mailbox login...
Auth(AuthEvent),
/// Local events related to servers or workstations, like OS failed to update,
/// antivirus outdated, log file cleaned, user or group changes (Including global or universal domain events).
/// Also events related to network devices: Changes in routing policys, Firewall rules, Shutdown out of mantaince
Endpoint,
// Unknown info that must be extracted and added to event fields. JSON format, like Windows events
Json(serde_json::Value),
// Unknown info that must be extracted and added to event fields.
#[default]
Unknown,
/// Forensic artifacts from custom parsers
Artifacts,
}
impl From<SiemEvent> for SiemLog {
fn from(val: SiemEvent) -> Self {
match val {
SiemEvent::Firewall(fw) => fw.into(),
SiemEvent::WebProxy(v) => v.into(),
SiemEvent::DNS(v) => v.into(),
SiemEvent::Intrusion(v) => v.into(),
SiemEvent::WebServer(v) => v.into(),
SiemEvent::Auth(v) => v.into(),
SiemEvent::DHCP(v) => v.into(),
_ => SiemLog::new("", 0, ""),
}
}
}