search

utmstack / UTMStack

Customizable SIEM and XDR powered by Real-Time correlation and Threat Intelligence
https://utmstack.com
GNU Affero General Public License v3.0
217 stars 26 forks source link

[BUG] Alarm has partial information but "view last log" is populated #110

Closed secureme71 closed 12 months ago

secureme71 commented 1 year ago

Describe the bug I don't see the data of alert and I don't receive any alert via email but view last log is ok. Sophos XG firewall is ok.

Screenshots image

Environment

Kbayero commented 12 months ago

Dear @secureme71

Let me clarify how our UTMStack alert system for Sophos XG works. The alert fields that you reported as empty populate their values from incoming logs. Here are a few examples:

The 'Protocol' field in the alert gets its value from the 'logx.sophos.proto' field of the incoming log.

In 'Source Detail': 'Hostname' pulls its value from 'logx.sophos.src_host' 'IP' is populated by 'logx.sophos.src_ip' 'Port' takes its value from 'logx.sophos.src_port' 'User' derives its value from 'logx.sophos.user_name'

In 'Destination Detail': 'IP' pulls its value from 'logx.sophos.dest_ip' 'Port' draws its value from 'logx.sophos.dest_port'

Please note that we were not able to identify any incoming log fields that could fill in the Destination Detail 'Hostname' and 'User'.

Any other empty fields in the alert are calculated based on the values of the aforementioned fields. Therefore, if these required fields are absent in the incoming log, they won't be available to display in the alert either.

secureme71 commented 12 months ago

Ok but it very strange because previous version of UTMStack 9x has no this issue.

You can see part of screenshot and you can see for example ip of source host.

image

However alerts are not generated anymore after latest upgrade.

Kbayero commented 12 months ago

I understand your concerns regarding the display of the source host IP. However, I would like to clarify that the IP you are observing in the host is an internal IP from Docker Swarm network.

You can verify this by using the following command in your UTMStack instance: docker service inspect utmstack_log-auth-proxy | grep Addr

Furthermore, I want to clarify the reason for not displaying this IP information in the alerts. This is because it might lead to presenting incorrect information.

Also, I wish to note that this does not occur in all alerts. For alerts where the fields destined to be displayed in the formation of the alerts are present, they will be shown.

secureme71 commented 12 months ago

Ok I see docker service inspect utmstack_log-auth-proxy | grep Addr "Addr": "10.0.0.3/24" "Addr": "10.0.1.2/24"

However it is strange that I don't see full information like UTMStack 9.x. Firewall settings are the same.