Pulse Connect Secure
Overview
Pulse Connect Secure is an SSL VPN solution for remote and mobile users.
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Authentication logs |
Events are produced when a user authenticate on services of the company my means of the VPN |
Web logs |
Events are produced on web service access |
Network device logs |
Events are produced on VPN connection |
Event Samples
Find below few samples of events and how they are normalized by SEKOIA.IO.
{
"network": {
"forwarded_ip": "172.16.128.22"
},
"service": {
"name": "CB2XXPCS02",
"type": "vpn"
},
"user": {
"name": "bob",
"domain": "SEKOIA_User",
"roles": [
"VDI-Pulse_User_Role"
]
},
"source": {
"ip": "176.134.164.62",
"address": "176.134.164.62"
},
"action": {
"name": "AUT24804"
},
"event": {
"provider": "auth",
"code": "AUT24804"
}
}
{
"network": {
"forwarded_ip": "172.16.128.22"
},
"service": {
"name": "CB2XXPCS02",
"type": "vpn"
},
"user": {
"name": "alice",
"domain": "SEKOIA_User",
"roles": [
"SEKOIA_User_Role"
]
},
"source": {
"ip": "19.160.74.9",
"address": "19.160.74.9"
},
"action": {
"name": "AUT24803"
},
"event": {
"provider": "auth",
"code": "AUT24803"
}
}
{
"network": {
"forwarded_ip": "172.16.128.22"
},
"service": {
"name": "CB2XXPCS02",
"type": "vpn"
},
"user": {
"name": "bob",
"domain": "SEKOIA_User"
},
"source": {
"ip": "176.168.192.159",
"address": "176.168.192.159"
},
"action": {
"name": "AUT23457"
},
"event": {
"provider": "auth",
"code": "AUT23457"
}
}
{
"network": {
"forwarded_ip": "172.16.128.22"
},
"service": {
"name": "CB2XXPCS02",
"type": "vpn"
},
"user": {
"name": "System"
},
"source": {
"ip": "93.19.66.118",
"address": "93.19.66.118"
},
"url": {
"path": "/dana/js?prot=1&svc=4"
},
"action": {
"name": "AUT31556"
},
"event": {
"provider": "auth",
"code": "AUT31556"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
event.code |
keyword |
Identification code for this event. |
event.provider |
keyword |
Source of the event. |
network.forwarded_ip |
ip |
Host IP address when the source IP address is the proxy. |
service.name |
keyword |
Name of the service. |
service.type |
keyword |
The type of the service. |
source.ip |
ip |
IP address of the source. |
url.path |
wildcard |
Path of the request, such as "/search". |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.name |
keyword |
Short name or login of the user. |
user.roles |
keyword |
Array of user roles at the time of the event. |
Configure
As of now, the main solution to collect Pulse Secure Connect logs leverages the Rsyslog recipe along with the WELF log format offered by Pulse Secure. Please share your experiences with other recipes by editing this documentation.
Rsyslog
Please refer to the documentation of Pulse Secure Connect to forward events to your rsyslog server. The reader can consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.