From 18090cda5a768f5d0a878738da483d75833a4021 Mon Sep 17 00:00:00 2001 From: Arnaud RENARD Date: Wed, 8 Jul 2026 16:23:32 +0200 Subject: [PATCH] [stormshield] Fix pipeline descriptions and correct documentation claims Fix the copy-pasted descriptions of the default and count ingest pipelines, remove field definitions that never appear in events (the pipeline consumes tz into event.timezone, converts duration into event.duration, renames msg to message, and drops origdst/origdstport after converting them to destination fields), and correct the documentation: the agent syslog processor is configured for RFC5424, so the README no longer presents the Legacy format as supported, and the compatibility section now covers SNS 4.x and 5.x, which share the same WELF key-value audit log format. Also document how to collect SNS IPFIX flow records with the NetFlow integration, update vendor links to the SNS v5 documentation, and use arrows for menu paths per the documentation style guide. --- .../stormshield/_dev/build/docs/README.md | 26 ++++++++------- packages/stormshield/changelog.yml | 8 +++++ .../elasticsearch/ingest_pipeline/count.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/log/fields/fields.yml | 17 +--------- packages/stormshield/docs/README.md | 33 +++++++++---------- .../docs/knowledge_base/service_info.md | 18 +++++----- packages/stormshield/manifest.yml | 3 +- 8 files changed, 52 insertions(+), 57 deletions(-) diff --git a/packages/stormshield/_dev/build/docs/README.md b/packages/stormshield/_dev/build/docs/README.md index 61b52da5fb6..b7d36d070ed 100644 --- a/packages/stormshield/_dev/build/docs/README.md +++ b/packages/stormshield/_dev/build/docs/README.md @@ -9,7 +9,7 @@ The StormShield SNS integration for Elastic enables you to collect and analyze s This integration is compatible with the following third-party vendor systems: - Stormshield Network Security (SNS) firewalls running the unified firmware base. -- SNS v4.x, which is the primarily documented and tested version for these log formats. +- SNS 4.x and SNS 5.x, which share the same WELF key-value audit log format. ### How it works @@ -17,7 +17,7 @@ This integration collects logs from Stormshield SNS firewalls by receiving syslo ## What data does this integration collect? -The StormShield SNS integration collects a variety of security and system events from SNS instances. Each data stream provides specific insights into network activity: +The StormShield SNS integration collects a variety of security and system events from SNS instances into a single `log` data stream. The collected log families provide specific insights into network activity: - Firewall logs: These provide detailed records of filter and NAT policy decisions, including source and destination IP addresses, ports, and protocols. - Audit and administrative logs: These capture events related to administrative logins, configuration changes through `serverd`, and system-level operations. - Alarm logs: These contain security-specific alerts generated by the SNS Intrusion Prevention System (IPS) and detection engines. @@ -68,36 +68,40 @@ To configure Stormshield Network Security (SNS) to forward logs to the Elastic A 1. Log in to the Stormshield Network Security web administration interface. 2. Navigate to the **CONFIGURATION** tab. -3. Go to **NOTIFICATIONS > LOGS - SYSLOG - IPFIX**. +3. Go to **NOTIFICATIONS → LOGS - SYSLOG - IPFIX**. 4. In the **Syslog** section, make sure the service is enabled by switching the status to **ON**. 5. Select a **Profile** slot to edit (e.g., Profile 1). 6. In the **Syslog server** field, select or create a host object corresponding to the Elastic Agent host. 7. Enter the **Port** number matching your Elastic Agent configuration (e.g., `514` for UDP or `601` for TCP). 8. Select the **Protocol** (**UDP** or **TCP**) that matches your integration input. -9. Choose the **Format**: **RFC5424** is recommended for modern logging, though **Legacy** (BSD) is also supported. +9. Set the **Format** to **RFC5424**. The integration expects RFC5424 messages; the **Legacy** and **Legacy long** formats are not supported at this time. 10. In the **Advanced properties** section, enable the specific log families you want to send. Make sure **Filter Policy**, **Administration**, **System**, and **Alarms** are active. 11. Click **Apply** to save the syslog configuration. #### Enabling traffic logs for specific rules -1. Navigate to **Configuration > Security policy > Filter - NAT**. +1. Navigate to **Configuration → Security policy → Filter - NAT**. 2. Identify the security rules for which you want to collect logs. 3. Double-click a rule to open its properties. 4. Go to the **Action** menu or the General tab. 5. Set the **Log level** to **Standard (connection log)**. 6. Click **OK** and then click **Apply** at the top of the interface to deploy the policy change. +#### Collecting flow records over IPFIX (optional) + +SNS firewalls can also export network flow records over the IPFIX protocol, configured in the same **NOTIFICATIONS → LOGS - SYSLOG - IPFIX** module (default port `4739`). Flow records are not handled by this integration: to collect them, use the [NetFlow Records](https://www.elastic.co/docs/reference/integrations/netflow) integration, which supports IPFIX. Both integrations can run on the same Elastic Agent to combine audit logs with flow analytics. + #### Vendor resources -- [Stormshield SNS Syslog Configuration](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/Logs-syslog/Syslog_tab.htm) -- [Stormshield SNS Log Configuration Documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Description_of_Audit_logs/Configure_logs.htm) +- [Stormshield SNS Syslog Configuration](https://documentation.stormshield.eu/SNS/v5/en/Content/User_Configuration_Manual_SNS_v5/Logs-syslog/Syslog_tab.htm) +- [Stormshield SNS Log Configuration Documentation](https://documentation.stormshield.eu/SNS/v5/en/Content/Description_of_Audit_logs/Configure_logs.htm) - [FireMon - Stormshield Device Configuration Guide](https://docs.firemon.com/feature/Content/ADMINISTRATION/DEVICE/Devices/StormShield/Stormshield_Network_Security.htm?TocPath=Administration|Device|Devices|Choose+a+Device+to+Onboard|_____51) ### Set up steps in Kibana To set up the integration in Kibana, follow these steps: -1. In Kibana, navigate to **Management > Integrations**. +1. In Kibana, navigate to **Management → Integrations**. 2. Search for and select **Stormshield SNS**. 3. Click **Add Stormshield SNS**. 4. Configure the inputs based on your Stormshield SNS configuration. @@ -159,11 +163,11 @@ Perform the following actions on your Stormshield device to generate logs: #### 2. Check data in Kibana To verify the data in Kibana: -1. Navigate to **Analytics > Discover**. +1. Navigate to **Analytics → Discover**. 2. Select the `logs-*` data view. 3. Enter the following KQL filter in the search bar: `data_stream.dataset : "stormshield.log"` 4. Verify logs appear and expand an entry to confirm the presence of fields like `event.dataset`, `source.ip`, and `message`. -5. Navigate to **Analytics > Dashboards** and search for "Stormshield SNS" to view pre-built visualizations. +5. Navigate to **Analytics → Dashboards** and search for "Stormshield SNS" to view pre-built visualizations. ## Troubleshooting @@ -218,5 +222,5 @@ The following is a sample event for the `log` data stream: ### Vendor documentation links You'll find additional details about Stormshield SNS logs in these official resources: -* [Stormshield SNS Log Configuration Documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Description_of_Audit_logs/Configure_logs.htm) +* [Stormshield SNS Log Configuration Documentation](https://documentation.stormshield.eu/SNS/v5/en/Content/Description_of_Audit_logs/Configure_logs.htm) * [Stormshield Official Website](https://www.stormshield.com) diff --git a/packages/stormshield/changelog.yml b/packages/stormshield/changelog.yml index 832fc1c78c3..7cc80809f3f 100644 --- a/packages/stormshield/changelog.yml +++ b/packages/stormshield/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "1.5.3" + changes: + - description: Fix ingest pipeline descriptions and remove field definitions that never appear in events (`stormshield.tz`, `stormshield.duration`, `stormshield.msg`, `stormshield.origdst`, `stormshield.origdstport`). + type: bugfix + link: https://github.com/elastic/integrations/pull/20030 + - description: Correct the syslog format and SNS version compatibility statements in the documentation, and document IPFIX flow collection through the NetFlow integration. + type: bugfix + link: https://github.com/elastic/integrations/pull/20030 - version: "1.5.2" changes: - description: Remove top level note from docs diff --git a/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/count.yml b/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/count.yml index d723103ae7f..90c5f22565d 100644 --- a/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/count.yml +++ b/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/count.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for processing monitor logs from Stormshield appliances. +description: Pipeline for processing count logs from Stormshield appliances. processors: - script: tag: script_process_devices diff --git a/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 21e0487bae3..b3dddc52f73 100644 --- a/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for processing sample logs +description: Pipeline for processing Stormshield SNS logs processors: - set: tag: set_ecs_version_f5923549 diff --git a/packages/stormshield/data_stream/log/fields/fields.yml b/packages/stormshield/data_stream/log/fields/fields.yml index 0fc537c57e8..4b5577319ae 100644 --- a/packages/stormshield/data_stream/log/fields/fields.yml +++ b/packages/stormshield/data_stream/log/fields/fields.yml @@ -22,21 +22,9 @@ - name: dstifname type: keyword description: 'Name of the object representing the traffics destination interface. String of characters in UTF-8 format. Example: dmz1 Available from: SNS v1.0.0.' - - name: duration - type: keyword - description: 'Duration of the connection in seconds. Decimal format. Example: "173.15"' - name: fw type: keyword description: 'firewall''s ID This is the name entered by the administrator or, by default, its serial number. String of characters in UTF-8 format. Example: firewall_name or V50XXXXXXXXXXXX Available from: SNS v1.0.0.' - - name: msg - type: keyword - description: 'Text message explaining the alarm. String of characters in UTF-8 format. Example: Port probe' - - name: origdst - type: keyword - description: 'Original IP address of the destination host (before translation or the application of a virtual connection). Decimal format. Example: 192.168.0.1 Available from: SNS v1.0.0.' - - name: origdstport - type: keyword - description: 'Original port number of the destination TCP/UDP port (before translation or the application of a virtual connection). Example: "80" Available from: SNS v1.0.0.' - name: service type: keyword description: 'Service (product with a dedicated port) on which the vulnerability was detected. String of characters in UTF-8 format. Example: OpenSSH_5.4' @@ -51,10 +39,7 @@ description: 'Local time at the beginning of the logged event (time configured on the Firewall). String in YYYY-MM-DD HH:MM:SS format. Available from: SNS v1.0.0.' - name: system type: keyword - description: Indicator of the Firewalls system status. This value is used by the fleet management tool (Stormshield Network Unified Manager) to provide information on the system status (available RAM, CPU use, bandwidth, interfaces, fullness of audit logs, etc). Decimal format representing a percentage. + description: Indicator of the Firewalls system status. This value is used by the fleet management tool (Stormshield Network Unified Manager) to provide information on the system status (available RAM, CPU use, bandwidth, interfaces, fullness of audit logs, and so on). Decimal format representing a percentage. - name: time type: keyword description: 'Local time at which the log was recorded in the log file (time configured on the Firewall). String in YYYY-MM-DD HH:MM:SS format. Available from: SNS v1.0.0.' - - name: tz - type: keyword - description: 'Time difference between the Firewalls time and GMT. This depends on the time zone used. String in +HHMM or -HHMM format. Available from: SNS v1.0.0.' diff --git a/packages/stormshield/docs/README.md b/packages/stormshield/docs/README.md index b6c07850c5b..f56d3892238 100644 --- a/packages/stormshield/docs/README.md +++ b/packages/stormshield/docs/README.md @@ -9,7 +9,7 @@ The StormShield SNS integration for Elastic enables you to collect and analyze s This integration is compatible with the following third-party vendor systems: - Stormshield Network Security (SNS) firewalls running the unified firmware base. -- SNS v4.x, which is the primarily documented and tested version for these log formats. +- SNS 4.x and SNS 5.x, which share the same WELF key-value audit log format. ### How it works @@ -17,7 +17,7 @@ This integration collects logs from Stormshield SNS firewalls by receiving syslo ## What data does this integration collect? -The StormShield SNS integration collects a variety of security and system events from SNS instances. Each data stream provides specific insights into network activity: +The StormShield SNS integration collects a variety of security and system events from SNS instances into a single `log` data stream. The collected log families provide specific insights into network activity: - Firewall logs: These provide detailed records of filter and NAT policy decisions, including source and destination IP addresses, ports, and protocols. - Audit and administrative logs: These capture events related to administrative logins, configuration changes through `serverd`, and system-level operations. - Alarm logs: These contain security-specific alerts generated by the SNS Intrusion Prevention System (IPS) and detection engines. @@ -68,36 +68,40 @@ To configure Stormshield Network Security (SNS) to forward logs to the Elastic A 1. Log in to the Stormshield Network Security web administration interface. 2. Navigate to the **CONFIGURATION** tab. -3. Go to **NOTIFICATIONS > LOGS - SYSLOG - IPFIX**. +3. Go to **NOTIFICATIONS → LOGS - SYSLOG - IPFIX**. 4. In the **Syslog** section, make sure the service is enabled by switching the status to **ON**. 5. Select a **Profile** slot to edit (e.g., Profile 1). 6. In the **Syslog server** field, select or create a host object corresponding to the Elastic Agent host. 7. Enter the **Port** number matching your Elastic Agent configuration (e.g., `514` for UDP or `601` for TCP). 8. Select the **Protocol** (**UDP** or **TCP**) that matches your integration input. -9. Choose the **Format**: **RFC5424** is recommended for modern logging, though **Legacy** (BSD) is also supported. +9. Set the **Format** to **RFC5424**. The integration expects RFC5424 messages; the **Legacy** and **Legacy long** formats are not supported at this time. 10. In the **Advanced properties** section, enable the specific log families you want to send. Make sure **Filter Policy**, **Administration**, **System**, and **Alarms** are active. 11. Click **Apply** to save the syslog configuration. #### Enabling traffic logs for specific rules -1. Navigate to **Configuration > Security policy > Filter - NAT**. +1. Navigate to **Configuration → Security policy → Filter - NAT**. 2. Identify the security rules for which you want to collect logs. 3. Double-click a rule to open its properties. 4. Go to the **Action** menu or the General tab. 5. Set the **Log level** to **Standard (connection log)**. 6. Click **OK** and then click **Apply** at the top of the interface to deploy the policy change. +#### Collecting flow records over IPFIX (optional) + +SNS firewalls can also export network flow records over the IPFIX protocol, configured in the same **NOTIFICATIONS → LOGS - SYSLOG - IPFIX** module (default port `4739`). Flow records are not handled by this integration: to collect them, use the [NetFlow Records](https://www.elastic.co/docs/reference/integrations/netflow) integration, which supports IPFIX. Both integrations can run on the same Elastic Agent to combine audit logs with flow analytics. + #### Vendor resources -- [Stormshield SNS Syslog Configuration](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/Logs-syslog/Syslog_tab.htm) -- [Stormshield SNS Log Configuration Documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Description_of_Audit_logs/Configure_logs.htm) +- [Stormshield SNS Syslog Configuration](https://documentation.stormshield.eu/SNS/v5/en/Content/User_Configuration_Manual_SNS_v5/Logs-syslog/Syslog_tab.htm) +- [Stormshield SNS Log Configuration Documentation](https://documentation.stormshield.eu/SNS/v5/en/Content/Description_of_Audit_logs/Configure_logs.htm) - [FireMon - Stormshield Device Configuration Guide](https://docs.firemon.com/feature/Content/ADMINISTRATION/DEVICE/Devices/StormShield/Stormshield_Network_Security.htm?TocPath=Administration|Device|Devices|Choose+a+Device+to+Onboard|_____51) ### Set up steps in Kibana To set up the integration in Kibana, follow these steps: -1. In Kibana, navigate to **Management > Integrations**. +1. In Kibana, navigate to **Management → Integrations**. 2. Search for and select **Stormshield SNS**. 3. Click **Add Stormshield SNS**. 4. Configure the inputs based on your Stormshield SNS configuration. @@ -159,11 +163,11 @@ Perform the following actions on your Stormshield device to generate logs: #### 2. Check data in Kibana To verify the data in Kibana: -1. Navigate to **Analytics > Discover**. +1. Navigate to **Analytics → Discover**. 2. Select the `logs-*` data view. 3. Enter the following KQL filter in the search bar: `data_stream.dataset : "stormshield.log"` 4. Verify logs appear and expand an entry to confirm the presence of fields like `event.dataset`, `source.ip`, and `message`. -5. Navigate to **Analytics > Dashboards** and search for "Stormshield SNS" to view pre-built visualizations. +5. Navigate to **Analytics → Dashboards** and search for "Stormshield SNS" to view pre-built visualizations. ## Troubleshooting @@ -340,23 +344,18 @@ You'll find a list of all exported fields in the following table: | source.port | Port of the source. | long | | stormshield.dstif | Name of the destination interface. String of characters in UTF-8 format. Example: Ethernet 1 Available from: SNS v1.0.0. | keyword | | stormshield.dstifname | Name of the object representing the traffics destination interface. String of characters in UTF-8 format. Example: dmz1 Available from: SNS v1.0.0. | keyword | -| stormshield.duration | Duration of the connection in seconds. Decimal format. Example: "173.15" | keyword | | stormshield.fw | firewall's ID This is the name entered by the administrator or, by default, its serial number. String of characters in UTF-8 format. Example: firewall_name or V50XXXXXXXXXXXX Available from: SNS v1.0.0. | keyword | | stormshield.in_bytes | Count of bytes coming into the firewall | long | | stormshield.logtype | The specific type of log this is from. | keyword | | stormshield.metadata | Flattened metadata | flattened | -| stormshield.msg | Text message explaining the alarm. String of characters in UTF-8 format. Example: Port probe | keyword | -| stormshield.origdst | Original IP address of the destination host (before translation or the application of a virtual connection). Decimal format. Example: 192.168.0.1 Available from: SNS v1.0.0. | keyword | -| stormshield.origdstport | Original port number of the destination TCP/UDP port (before translation or the application of a virtual connection). Example: "80" Available from: SNS v1.0.0. | keyword | | stormshield.out_bytes | Count of bytes leaving the firewall | long | | stormshield.ports | The network ports found on the device | keyword | | stormshield.service | Service (product with a dedicated port) on which the vulnerability was detected. String of characters in UTF-8 format. Example: OpenSSH_5.4 | keyword | | stormshield.srcif | Internal name of the interface at the source of the traffic. String of characters in UTF-8 format. Example: Ethernet0 Available from: SNS v1.0.0. | keyword | | stormshield.srcifname | Name of the object representing the interface at the source of the traffic. String of characters in UTF-8 format. Example: out Available from: SNS v1.0.0. | keyword | | stormshield.startime | Local time at the beginning of the logged event (time configured on the Firewall). String in YYYY-MM-DD HH:MM:SS format. Available from: SNS v1.0.0. | keyword | -| stormshield.system | Indicator of the Firewalls system status. This value is used by the fleet management tool (Stormshield Network Unified Manager) to provide information on the system status (available RAM, CPU use, bandwidth, interfaces, fullness of audit logs, etc). Decimal format representing a percentage. | keyword | +| stormshield.system | Indicator of the Firewalls system status. This value is used by the fleet management tool (Stormshield Network Unified Manager) to provide information on the system status (available RAM, CPU use, bandwidth, interfaces, fullness of audit logs, and so on). Decimal format representing a percentage. | keyword | | stormshield.time | Local time at which the log was recorded in the log file (time configured on the Firewall). String in YYYY-MM-DD HH:MM:SS format. Available from: SNS v1.0.0. | keyword | -| stormshield.tz | Time difference between the Firewalls time and GMT. This depends on the time zone used. String in +HHMM or -HHMM format. Available from: SNS v1.0.0. | keyword | | tags | List of keywords used to tag each event. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | @@ -457,5 +456,5 @@ An example event for `log` looks as following: ### Vendor documentation links You'll find additional details about Stormshield SNS logs in these official resources: -* [Stormshield SNS Log Configuration Documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Description_of_Audit_logs/Configure_logs.htm) +* [Stormshield SNS Log Configuration Documentation](https://documentation.stormshield.eu/SNS/v5/en/Content/Description_of_Audit_logs/Configure_logs.htm) * [Stormshield Official Website](https://www.stormshield.com) diff --git a/packages/stormshield/docs/knowledge_base/service_info.md b/packages/stormshield/docs/knowledge_base/service_info.md index b86b2016170..0cc8737fe89 100644 --- a/packages/stormshield/docs/knowledge_base/service_info.md +++ b/packages/stormshield/docs/knowledge_base/service_info.md @@ -23,7 +23,7 @@ The **Stormshield SNS logs** integration collects a variety of security and syst This integration is compatible with the following third-party vendor systems: - **Stormshield Network Security (SNS)** firewalls running the unified firmware base. -- **SNS v4.x** is the primarily documented and tested version for these log formats. +- **SNS 4.x and SNS 5.x**, which share the same WELF key-value audit log format. ## Scaling and Performance @@ -57,19 +57,19 @@ To configure Stormshield Network Security (SNS) to forward logs to the Elastic A 1. Log in to the Stormshield Network Security web administration interface. 2. Navigate to the **CONFIGURATION** tab on the left sidebar. -3. Go to **NOTIFICATIONS > LOGS - SYSLOG - IPFIX**. +3. Go to **NOTIFICATIONS → LOGS - SYSLOG - IPFIX**. 4. In the **Syslog** section, ensure the service is enabled by switching the status to **ON**. 5. Select a **Profile** slot to edit (e.g., Profile 1). 6. In the **Syslog server** field, select or create a host object corresponding to the Elastic Agent host. 7. Enter the **Port** number matching your Elastic Agent configuration (e.g., `514` for UDP or `601` for TCP). 8. Select the **Protocol** (**UDP** or **TCP**) that matches your integration input. -9. Choose the **Format**: **RFC5424** is recommended for modern logging, though **Legacy** (BSD) is also supported. +9. Set the **Format** to **RFC5424**. The integration expects RFC5424 messages; the **Legacy** and **Legacy long** formats are not supported at this time. 10. In the **Advanced properties** section, enable the specific log families you wish to send. Ensure **Filter Policy**, **Administration**, **System**, and **Alarms** are active. 11. Click **Apply** to save the syslog configuration. ### Enabling Traffic Logs for Specific Rules: -1. Navigate to **Configuration > Security policy > Filter - NAT**. +1. Navigate to **Configuration → Security policy → Filter - NAT**. 2. Identify the security rules for which you want to collect logs. 3. Double-click a rule to open its properties. 4. Go to the **Action** menu or the General tab. @@ -84,7 +84,7 @@ To configure Stormshield Network Security (SNS) to forward logs to the Elastic A ## Kibana set up steps -1. In Kibana, navigate to **Management > Integrations**. +1. In Kibana, navigate to **Management → Integrations**. 2. Search for and select **StormShield SNS**. 3. Click **Add StormShield SNS**. 4. Configure the inputs based on your SNS configuration: @@ -122,15 +122,15 @@ After configuration is complete, verify that data is flowing correctly. - **Trigger Alarm:** If a test environment is available, attempt a restricted access pattern (such as an Nmap scan) to trigger an intrusion detection alarm. ### 2. Check Data in Kibana: -1. Navigate to **Analytics > Discover**. +1. Navigate to **Analytics → Discover**. 2. Select the `logs-*` data view. 3. Enter the KQL filter: `data_stream.dataset : "stormshield.log"` 4. Verify logs appear. Expand a log entry and confirm these fields: - `event.dataset` (should be `stormshield.log`) - - `source.ip` and/or `destination.ip` - - `event.action` or `event.outcome` + - `source.ip`, `destination.ip`, or both + - `event.action` - `message` (the raw log payload) -5. Navigate to **Analytics > Dashboards** and search for "StormShield SNS" to view pre-built visualizations. +5. Navigate to **Analytics → Dashboards** and search for "StormShield SNS" to view pre-built visualizations. # Troubleshooting diff --git a/packages/stormshield/manifest.yml b/packages/stormshield/manifest.yml index 3b85c8ff526..126f4aeff80 100644 --- a/packages/stormshield/manifest.yml +++ b/packages/stormshield/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.1 name: stormshield title: "StormShield SNS" -version: "1.5.2" +version: "1.5.3" source: license: "Elastic-2.0" description: "Stormshield SNS integration." @@ -10,7 +10,6 @@ categories: - network - security - firewall_security - # Added network_security category as Stormshield provides network security protection - network_security conditions: kibana: