The following configuration will make it easier to parse Syslog messages sent from your Websense appliance to your ELK stack.
If you need assistance setting up SIEM integration with Websense you may follow their official guide which is fairly straightforward.
Additionally here’s the documentation for category IDs and classifications which helped tremendously in trying to identify what event IDs correlated to what events:
TRITON AP-WEB and Web Filter & Security, v8.3.x
Finally: Here’s the Logstash configuration:
input { tcp { port => 5000 type => websense } } filter { if [type] == "websense" { grok { match => { "message" => "%{IPV4:SourceIP}\s%{DATA:vendor}\s%{DATA:Product}\s%{DATA:Product_Version}\s%{DATA:Action}\s%{DATA:SeverityIgnore}%{INT:Severity}\s%{DATA:CategoryIgnore}%{INT:Category}\s%{DATA:UserIgnore}%{USERNAME:Username}\s%{DATA:sourceIgnore}%{IPV4:SourceHost}\s%{DATA:PortIgnore}%{INT:SourcePort}\s%{DATA:HostIgnore}%{DATA:DestinationHost}\s%{DATA:DestinationIPgnore}%{IPV4:DestinationIP}\s%{DATA:DestPortIgnore}%{INT:DestPort}\s%{DATA:BytesOUtIgnore}%{INT:BytesOut}\s%{DATA:BytesIn}%{INT:BytesIn}\s%{DATA:HttpResponseIgnore}%{INT:HttpResponse}\s%{DATA:HttpMethod}\s%{DATA:ContentType}\s%{DATA:UserAgent}\s%{DATA:HttpProxyStatusIgnore}%{INT:HttpProxyStatus}\s%{DATA:Reason}\s%{DATA:DispositionIgnore}%{INT:Disposition}\s%{DATA:Policy}\s%{DATA:RoleIgnore}%{INT:Role}\s%{DATA:DurationIgnore}%{INT:Duration}\s%{GREEDYDATA:URL}" } } } } ##Geo-Map Information #filter { #if [type] == "websense" { #geoip { # source => "DestinationIP" # database => "/etc/logstash/GeoLite2-City.mmdb" # } # } #} #Adding Categories filter { if [type] == "websense" { if [Category] == "1" { mutate { add_field => { "CategoryDesc" => "Adult Material" } } } else if [Category] == "2" { mutate { add_field => { "CategoryDesc" => "Business and Economy" } } } else if [Category] == "3" { mutate { add_field => { "CategoryDesc" => "Education" } } } else if [Category] == "4" { mutate { add_field => { "CategoryDesc" => "Government" } } } else if [Category] == "5" { mutate { add_field => { "CategoryDesc" => "News and Media" } } } else if [Category] == "6" { mutate { add_field => { "CategoryDesc" => "Religion" } } } else if [Category] == "7" { mutate { add_field => { "CategoryDesc" => "Society and Lifestyles" } } } else if [Category] == "8" { mutate { add_field => { "CategoryDesc" => "Special Events" } } } else if [Category] == "9" { mutate { add_field => { "CategoryDesc" => "Information Technology" } } } else if [Category] == "10" { mutate { add_field => { "CategoryDesc" => "Abortion" } } } else if [Category] == "11" { mutate { add_field => { "CategoryDesc" => "Advocacy Groups" } } } else if [Category] == "12" { mutate { add_field => { "CategoryDesc" => "Entertainment" } } } else if [Category] == "13" { mutate { add_field => { "CategoryDesc" => "Gambling" } } } else if [Category] == "14" { mutate { add_field => { "CategoryDesc" => "Games" } } } else if [Category] == "15" { mutate { add_field => { "CategoryDesc" => "Illegal or Questionable" } } } else if [Category] == "16" { mutate { add_field => { "CategoryDesc" => "Job Search" } } } else if [Category] == "17" { mutate { add_field => { "CategoryDesc" => "Shopping" } } } else if [Category] == "18" { mutate { add_field => { "CategoryDesc" => "Sports" } } } else if [Category] == "19" { mutate { add_field => { "CategoryDesc" => "Tasteless" } } } else if [Category] == "20" { mutate { add_field => { "CategoryDesc" => "Travel" } } } else if [Category] == "21" { mutate { add_field => { "CategoryDesc" => "Vehicles" } } } else if [Category] == "22" { mutate { add_field => { "CategoryDesc" => "Violence" } } } else if [Category] == "23" { mutate { add_field => { "CategoryDesc" => "Weapons" } } } else if [Category] == "24" { mutate { add_field => { "CategoryDesc" => "Drugs" } } } else if [Category] == "25" { mutate { add_field => { "CategoryDesc" => "Militancy and Extremist" } } } else if [Category] == "26" { mutate { add_field => { "CategoryDesc" => "Intolerance" } } } else if [Category] == "21" { mutate { add_field => { "CategoryDesc" => "Vehicles" } } } else if [Category] == "27" { mutate { add_field => { "CategoryDesc" => "Health" } } } else if [Category] == "29" { mutate { add_field => { "CategoryDesc" => "Productivity : Advertisements" } } } else if [Category] == "65" { mutate { add_field => { "CategoryDesc" => "Adult Material: Nudity" } } } else if [Category] == "66" { mutate { add_field => { "CategoryDesc" => "Adult Material: Adult Content" } } } else if [Category] == "67" { mutate { add_field => { "CategoryDesc" => "Adult Material: Sex" } } } else if [Category] == "68" { mutate { add_field => { "CategoryDesc" => "Business and Economy: Financial Data and Services" } } } else if [Category] == "69" { mutate { add_field => { "CategoryDesc" => "Education : Cultural Institutions" } } } else if [Category] == "70" { mutate { add_field => { "CategoryDesc" => "Entertainment: Media File Download" } } } else if [Category] == "72" { mutate { add_field => { "CategoryDesc" => "Government : Military" } } } else if [Category] == "73" { mutate { add_field => { "CategoryDesc" => "Government : Political Organizations" } } } else if [Category] == "74" { mutate { add_field => { "CategoryDesc" => "Internet Communication : General Email" } } } else if [Category] == "75" { mutate { add_field => { "CategoryDesc" => "Information Technology : Proxy Avoidance" } } } else if [Category] == "76" { mutate { add_field => { "CategoryDesc" => "Business and Economy: Financial Data and Services" } } } else if [Category] == "78" { mutate { add_field => { "CategoryDesc" => "Information Technology: Web Hosting" } } } else if [Category] == "79" { mutate { add_field => { "CategoryDesc" => "Internet Communication : Web Chat" } } } else if [Category] == "80" { mutate { add_field => { "CategoryDesc" => "Information Technology : Hacking" } } } else if [Category] == "81" { mutate { add_field => { "CategoryDesc" => "News and Media : Alternative Journals" } } } else if [Category] == "83" { mutate { add_field => { "CategoryDesc" => "Religion : Traditional Religion" } } } else if [Category] == "84" { mutate { add_field => { "CategoryDesc" => "Society and Lifestyles : Restaurants and Dining" } } } else if [Category] == "85" { mutate { add_field => { "CategoryDesc" => "Society and Lifestyles : Gay or Lesbian or Bisexual Interest" } } } else if [Category] == "86" { mutate { add_field => { "CategoryDesc" => "Society and Lifestyles : Personals and Dating" } } } else if [Category] == "87" { mutate { add_field => { "CategoryDesc" => "Society and Lifestyles : Alcohol and Tobacco" } } } else if [Category] == "88" { mutate { add_field => { "CategoryDesc" => "Drugs : Prescribed Medications" } } } else if [Category] == "94" { mutate { add_field => { "CategoryDesc" => "Adult Material : Sex Education" } } } else if [Category] == "95" { mutate { add_field => { "CategoryDesc" => "Adult Material : Lingerie and Swimsuit" } } } else if [Category] == "96" { mutate { add_field => { "CategoryDesc" => "Productivity : Online Brokerage and Trading" } } } else if [Category] == "97" { mutate { add_field => { "CategoryDesc" => "Education: Education Institutions" } } } else if [Category] == "98" { mutate { add_field => { "CategoryDesc" => "Productivity : Instant Messaging" } } } else if [Category] == "99" { mutate { add_field => { "CategoryDesc" => "Productivity : Application and Software Download" } } } else if [Category] == "100" { mutate { add_field => { "CategoryDesc" => "Shopping : Pay-to-Surf" } } } else if [Category] == "101" { mutate { add_field => { "CategoryDesc" => "Shopping : Internet Auctions" } } } else if [Category] == "102" { mutate { add_field => { "CategoryDesc" => "Shopping : Real Estate" } } } else if [Category] == "103" { mutate { add_field => { "CategoryDesc" => "Shopping : Hobbies" } } } else if [Category] == "107" { mutate { add_field => { "CategoryDesc" => "Sport : Sport Hunting and Gun Clubs" } } } else if [Category] == "108" { mutate { add_field => { "CategoryDesc" => "Bandwidth : Internet Telephony" } } } else if [Category] == "109" { mutate { add_field => { "CategoryDesc" => "Bandwidth : Streaming Media" } } } else if [Category] == "112" { mutate { add_field => { "CategoryDesc" => "Productivity : Message Boards and Forums" } } } else if [Category] == "113" { mutate { add_field => { "CategoryDesc" => "Bandwidth : Personal Network Storage and Backup" } } } else if [Category] == "114" { mutate { add_field => { "CategoryDesc" => "Bandwidth : Internet Radio and TV" } } } else if [Category] == "115" { mutate { add_field => { "CategoryDesc" => "Bandwidth : Peer-to-Peer File Sharing" } } } else if [Category] == "116" { mutate { add_field => { "CategoryDesc" => "Bandwidth" } } } else if [Category] == "117" { mutate { add_field => { "CategoryDesc" => "Society and Lifestyles : Social Networking" } } } else if [Category] == "118" { mutate { add_field => { "CategoryDesc" => "Education : Educational Materials" } } } else if [Category] == "121" { mutate { add_field => { "CategoryDesc" => "Education : Reference Materials" } } } else if [Category] == "123" { mutate { add_field => { "CategoryDesc" => "Social Organizations : Service and Philanthropic Organizations" } } } else if [Category] == "124" { mutate { add_field => { "CategoryDesc" => "Social Organizations : Social And Affiliation Organizations" } } } else if [Category] == "125" { mutate { add_field => { "CategoryDesc" => "Social Organizations : Professional and Worker Organizations" } } } else if [Category] == "126" { mutate { add_field => { "CategoryDesc" => "Security" } } } else if [Category] == "128" { mutate { add_field => { "CategoryDesc" => "Security : Malicious Websites" } } } else if [Category] == "138" { mutate { add_field => { "CategoryDesc" => "Information Technology : Computer Security" } } } else if [Category] == "146" { mutate { add_field => { "CategoryDesc" => "Miscellaneous" } } } else if [Category] == "147" { mutate { add_field => { "CategoryDesc" => "Miscellaneous : Web Infrastructure" } } } else if [Category] == "148" { mutate { add_field => { "CategoryDesc" => "Miscellaneous : Web Images" } } } else if [Category] == "149" { mutate { add_field => { "CategoryDesc" => "Miscellaneous : Private IP Addresses" } } } else if [Category] == "150" { mutate { add_field => { "CategoryDesc" => "Miscellaneous : Content Delivery Networks" } } } else if [Category] == "151" { mutate { add_field => { "CategoryDesc" => "Uncategorized" } } } else if [Category] == "153" { mutate { add_field => { "CategoryDesc" => "Miscellaneous : Dynamic Content" } } } else if [Category] == "154" { mutate { add_field => { "CategoryDesc" => "Security : Spyware" } } } else if [Category] == "156" { mutate { add_field => { "CategoryDesc" => "Miscellaneous : File Download Servers" } } } else if [Category] == "164" { mutate { add_field => { "CategoryDesc" => "Security : Phishing and Other Frauds" } } } else if [Category] == "166" { mutate { add_field => { "CategoryDesc" => "Security : Keyloggers" } } } else if [Category] == "167" { mutate { add_field => { "CategoryDesc" => "Potentially Unwanted Software" } } } else if [Category] == "172" { mutate { add_field => { "CategoryDesc" => "Bot Networks" } } } else if [Category] == "192" { mutate { add_field => { "CategoryDesc" => "Extended Protection : Elevated Exposure" } } } else if [Category] == "194" { mutate { add_field => { "CategoryDesc" => "Extended Protection : Suspicious Content" } } } else if [Category] == "195" { mutate { add_field => { "CategoryDesc" => "Internet Communication : Organizational Email" } } } else if [Category] == "200" { mutate { add_field => { "CategoryDesc" => "Information Technology : Web and Email Spam" } } } else if [Category] == "201" { mutate { add_field => { "CategoryDesc" => "Information Technology : Web Collaboration" } } } else if [Category] == "202" { mutate { add_field => { "CategoryDesc" => "Parked Domain" } } } else if [Category] == "203" { mutate { add_field => { "CategoryDesc" => "Business and Economy : Hosted Business Applications" } } } else if [Category] == "204" { mutate { add_field => { "CategoryDesc" => "Society and Lifestyles : Blogs and Personal Sites" } } } else if [Category] == "205" { mutate { add_field => { "CategoryDesc" => "Security : Malicious Embedded Link" } } } else if [Category] == "206" { mutate { add_field => { "CategoryDesc" => "Security : Malicious Embedded iFrame" } } } else if [Category] == "207" { mutate { add_field => { "CategoryDesc" => "Security : Suspicious Embedded Link" } } } else if [Category] == "210" { mutate { add_field => { "CategoryDesc" => "Bandwidth : Entertainment Video" } } } else if [Category] == "218" { mutate { add_field => { "CategoryDesc" => "Security : Advanced Malware Command and Control " } } } else if [Category] == "219" { mutate { add_field => { "CategoryDesc" => "Security : Advanced Malware Payloads" } } } else if [Category] == "220" { mutate { add_field => { "CategoryDesc" => "Security : Compromised Websites" } } } else if [Category] == "221" { mutate { add_field => { "CategoryDesc" => "Extended Protection : Newly Registered Websites" } } } else if [Category] == "222" { mutate { add_field => { "CategoryDesc" => "Collaboration - Office" } } } else if [Category] == "227" { mutate { add_field => { "CategoryDesc" => "Information Technology : Web Analytics" } } } else if [Category] == "228" { mutate { add_field => { "CategoryDesc" => "Information Technology : Web and Email Marketing" } } } else if [Category] == "1500" { mutate { add_field => { "CategoryDesc" => "Social Web - Facebook" } } } else if [Category] == "1525" { mutate { add_field => { "CategoryDesc" => "Social Web - YouTube" } } } else if [Category] == "1526" { mutate { add_field => { "CategoryDesc" => "Social Web - Twitter" } } } else if [Category] == "1527" { mutate { add_field => { "CategoryDesc" => "Social Web - LinkedIn" } } } else { mutate { add_field => { "CategoryDesc" => "NOT YET CATEGORIZED" } } } } } filter { mutate { remove_field => ["BytesOUtIgnore","CategoryIgnore","DestPortIgnore","DestinationIPgnore","DispositionIgnore","DurationIgnore","HttpProxyStatusIgnore","HttpResponseIgnore","PortIgnore","RoleIgnore","SeverityIgnore","UserIgnore","sourceIgnore"] } } # Remove Product Version # filter { if [type] == "websense" { mutate { gsub => ["Action", "action=", "", "Product_Version", "product_version=", "", "DestinationHost", "dst_host=", "", "URL", "url=", ""] } } } #End of websenses---------------------------------- output { if [type] == "websense" { elasticsearch { hosts => ["http://YourElasticsearch:9200"] index => "websense-%{+YYYY.MM.dd}" } } }
Note: you may un-comment the Geo-Mapping information to get Geo-Ip information about the outbound connections.
Here’s an Kibana query to identify potential threats based on the outbound connection category:
Category: 1 OR Category: 15 OR Category: 23 OR Category: 25 OR Category: 29 OR Category: 65 OR Category: 66 OR Category: 67 OR Category: 70 OR Category: 75 OR Category: 80 OR Category: 98 OR Category: 99 OR Category: 100 OR Category: 109 OR Category: 113 OR Category: 114 OR Category: 115 OR Category: 117 OR Category: 128 OR Category: 138 OR Category: 153 OR Category: 154 OR Category: 156 OR Category: 164 OR Category: 166 OR Category: 167 OR Category: 172 OR Category: 192 OR Category: 194 OR Category: 205 OR Category: 206 OR Category: 207 OR Category: 213 OR Category: 214 OR Category: 217 OR Category: 216 OR Category: 218 OR Category: 219 OR Category: 220 OR Category: 221
Here’s an example of a dashboard created based on the information collected.
Hope this helps!
Hi,
Firstly this guide is very helpful thanks for that. I have a question,
– What type of log is choosen on the Web Security module ? CEF, LEEF or Custom.
I want to test this filter in my environment but firstly I must understand how your first filter working. Becuase you remove some field but I want to see all fields in ELK.
Thanks.