Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DDS: F5 Distributed Cloud integration (V2.0.0) #2457

Open
wants to merge 22 commits into
base: master
Choose a base branch
from
Open

DDS: F5 Distributed Cloud integration (V2.0.0) #2457

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
3bd8716
Updated F5 distributed cloud services integration.
madhavpandya-crest Aug 2, 2024
5799385
Updated menifest file.
madhavpandya-crest Aug 2, 2024
5b396cc
Fixed pipeline failures.
madhavpandya-crest Aug 2, 2024
b98587b
Renamed test file.
madhavpandya-crest Aug 2, 2024
f46d88b
Updated pipeline and test yaml file.
madhavpandya-crest Aug 5, 2024
3288764
Renamed logs file.
madhavpandya-crest Aug 5, 2024
f9f27a4
Updated dashboard files, menifest and images file.
madhavpandya-crest Aug 7, 2024
566e894
Updated Dashboard.
madhavpandya-crest Aug 7, 2024
b10c162
Updated description of the dashboards.
madhavpandya-crest Aug 7, 2024
c6a7e31
Updated Facets order.
madhavpandya-crest Aug 7, 2024
daf7243
Added installation source in pipeline yaml file.
madhavpandya-crest Aug 8, 2024
c4f7566
Renamed yaml file.
madhavpandya-crest Aug 8, 2024
098403e
Updated source value in f5 distributed cloud services pipeline.
madhavpandya-crest Aug 8, 2024
df83354
Added logs results.
madhavpandya-crest Aug 8, 2024
cd0c6bd
Merge branch 'master' into f5-distributed-cloud-services-V2.0.0
ankitarajput-crest Aug 8, 2024
1c724eb
Merge branch 'master' into f5-distributed-cloud-services-V2.0.0
ankitarajput-crest Aug 9, 2024
0de7fe4
Updated dashboard images and logos.
madhavpandya-crest Aug 21, 2024
f838bb1
Updated dashboard files.
madhavpandya-crest Aug 29, 2024
00ff1fc
Merge branch 'master' into f5-distributed-cloud-services-V2.0.0
ankitarajput-crest Sep 4, 2024
d6e0bb9
Updated source type name in menifest json file.
madhavpandya-crest Sep 11, 2024
d698bb9
Update pipeline processor description and updated field name in bot d…
madhavpandya-crest Sep 12, 2024
b6b5920
Updated readme file.
madhavpandya-crest Sep 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions f5-distributed-cloud/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,9 @@

* Initial F5XC Integration Tile.

## 2.0.0 / 2024-08-01

**Added**

* Added support of bot-defense and waf events.
* Added dashboards and detection rules for bot-defense and waf events.
8 changes: 7 additions & 1 deletion f5-distributed-cloud/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,14 @@ The F5 XC platform includes the Global Log Receiver, which can be configured to

This integration includes:

- Dashboard - *Access Log Overview*
- Dashboard - *Access Log Overview* , *WAF Events Overview* , *BOT Defense Events Overview*
- Saved View - *Including facets for commonly queried fields*
- Detection Rules - *Detection rules for F5 WAF and Bot Defense Events*
- F5 - WAF - High Number of Traffic Being Blocked : Identify high volume of traffic being blocked by the Web Application Firewall (WAF).
- F5 - WAF - Unusual Traffic From Single Source IP : Identify unusual traffic patterns originating from a single source IP address.
- F5 - Bot Defense - Single Host Affected by Multiple Domains : Detect when a single host within the network is targeted by multiple domains, indicating potential bot activity.
- F5 - Bot Defense - Multiple Hosts Affected From a Single Bot Client : Identify when multiple hosts are affected by traffic from a single bot client.
- F5 - Bot Defense- Abnormal Traffic Observed in Specific Country : Identify and respond to abnormal traffic patterns observed in particular country within the last 30 minutes.

## Setup

Expand Down
1,887 changes: 1,887 additions & 0 deletions f5-distributed-cloud/assets/dashboards/f5xc_bot_defense_events_overview.json
View file
Open in desktop

Large diffs are not rendered by default.

2,179 changes: 2,179 additions & 0 deletions f5-distributed-cloud/assets/dashboards/f5xc_waf_events_overview.json
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions f5-distributed-cloud/assets/logos/F5DCS_logo.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
281 changes: 281 additions & 0 deletions f5-distributed-cloud/assets/logs/f5-distributed-cloud-services.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,281 @@
id: f5-distributed-cloud-services
metric_id: f5-distributed-cloud-services
backend_only: false
installation_sources:
- f5xc
facets:
- groups:
- Web Access
name: Method
path: http.method
source: log
- groups:
- Web Access
name: Status Code
path: http.status_code
source: log
- groups:
- Web Access
name: User-Agent
path: http.useragent
source: log
- groups:
- Web Access
name: Browser
path: http.useragent_details.browser.family
source: log
- groups:
- Web Access
name: Device
path: http.useragent_details.device.family
source: log
- groups:
- Web Access
name: OS
path: http.useragent_details.os.family
source: log
- groups:
- Geoip
name: City Name
path: network.client.geoip.city.name
source: log
- groups:
- Geoip
name: Continent Code
path: network.client.geoip.continent.code
source: log
- groups:
- Geoip
name: Continent Name
path: network.client.geoip.continent.name
source: log
- groups:
- Geoip
name: Country ISO Code
path: network.client.geoip.country.iso_code
source: log
- groups:
- Geoip
name: Country Name
path: network.client.geoip.country.name
source: log
- groups:
- Geoip
name: Subdivision ISO Code
path: network.client.geoip.subdivision.iso_code
source: log
- groups:
- Geoip
name: Subdivision Name
path: network.client.geoip.subdivision.name
source: log
- groups:
- Web Access
name: Client IP
path: network.client.ip
source: log
- groups:
- Web Access
name: Client Port
path: network.client.port
source: log
- groups:
- Geoip
name: Destination City Name
path: network.destination.geoip.city.name
source: log
- groups:
- Geoip
name: Destination Continent Code
path: network.destination.geoip.continent.code
source: log
- groups:
- Geoip
name: Destination Continent Name
path: network.destination.geoip.continent.name
source: log
- groups:
- Geoip
name: Destination Country ISO Code
path: network.destination.geoip.country.iso_code
source: log
- groups:
- Geoip
name: Destination Country Name
path: network.destination.geoip.country.name
source: log
- groups:
- Geoip
name: Destination Subdivision ISO Code
path: network.destination.geoip.subdivision.iso_code
source: log
- groups:
- Geoip
name: Destination Subdivision Name
path: network.destination.geoip.subdivision.name
source: log
- groups:
- Web Access
name: Destination IP
path: network.destination.ip
source: log
- groups:
- Web Access
name: Destination Port
path: network.destination.port
source: log
- groups:
- User
name: User ID
path: usr.id
source: log
pipeline:
type: pipeline
name: F5 Distributed cloud services
enabled: true
filter:
query: "source:f5xc"
processors:
- type: pipeline
name: Pipeline for Specific `sec_event_type`
enabled: true
filter:
query: "@sec_event_type:(bot_defense_sec_event OR waf_sec_event) "
processors:
- type: service-remapper
name: Define `sec_event_type` as the official service of the log
enabled: true
sources:
- sec_event_type
- type: date-remapper
name: Define `time` as the official date of the log
enabled: true
sources:
- time
- type: status-remapper
name: Define `severity` as the official status of the log
enabled: true
sources:
- severity
- type: attribute-remapper
name: Map `dst_ip` to `network.destination.ip`
enabled: true
sources:
- dst_ip
sourceType: attribute
target: network.destination.ip
targetType: attribute
preserveSource: false
overrideOnConflict: false
- type: attribute-remapper
name: Map `dst_port` to `network.destination.port`
enabled: true
sources:
- dst_port
sourceType: attribute
target: network.destination.port
targetType: attribute
preserveSource: true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are the preserveSource set to true for some of the attribute-remappers ? Is this not a new integration ? Are you relying on "dst_port" naming when analyzing your logs ?

Copy link

@bhargavnariyanicrest bhargavnariyanicrest Sep 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this is an update integration and we would like to preserve the older values for anyone using the exisiting attributes in their custom created assets.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok thank you

overrideOnConflict: false
- type: attribute-remapper
name: Map `hostname` to `host`
enabled: true
sources:
- hostname
sourceType: attribute
target: host
targetType: attribute
preserveSource: true
overrideOnConflict: false
- type: attribute-remapper
name: Map `method` to `http.method`
enabled: true
sources:
- method
sourceType: attribute
target: http.method
targetType: attribute
preserveSource: true
overrideOnConflict: false
- type: attribute-remapper
name: Map `rsp_code` to `http.status_code`
enabled: true
sources:
- rsp_code
sourceType: attribute
target: http.status_code
targetType: attribute
preserveSource: true
overrideOnConflict: false
- type: attribute-remapper
name: Map `src` to `source`
enabled: true
sources:
- src
sourceType: attribute
target: source
targetType: attribute
preserveSource: true
overrideOnConflict: false
- type: attribute-remapper
name: Map `src_ip` to `network.client.ip`
enabled: true
sources:
- src_ip
sourceType: attribute
target: network.client.ip
targetType: attribute
preserveSource: true
overrideOnConflict: false
- type: attribute-remapper
name: Map `src_port` to `network.client.port`
enabled: true
sources:
- src_port
sourceType: attribute
target: network.client.port
targetType: attribute
preserveSource: false
overrideOnConflict: false
- type: attribute-remapper
name: Map `user` to `usr.id`
enabled: true
sources:
- user
sourceType: attribute
target: usr.id
targetType: attribute
preserveSource: false
overrideOnConflict: false
- type: attribute-remapper
name: Map `user_agent` to `http.useragent`
enabled: true
sources:
- user_agent
sourceType: attribute
target: http.useragent
targetType: attribute
preserveSource: false
overrideOnConflict: false
- type: user-agent-parser
name: Extracting user-agent information from the user-agent
enabled: true
sources:
- http.useragent
target: http.useragent_details
encoded: false
combineVersionDetails: false
- type: geo-ip-parser
name: Extracting geolocation information from the client IP
enabled: true
sources:
- network.client.ip
target: network.client.geoip
ip_processing_behavior: do-nothing
- type: geo-ip-parser
name: Extracting geolocation information from the destionation IP
enabled: true
sources:
- network.destination.ip
target: network.destination.geoip
ip_processing_behavior: do-nothing
Loading
Loading