Broadcom Cloud Secure Web Gateway
Overview
Broadcom Cloud Secure Web Gateway is a cloud-native security solution providing advanced threat protection, content filtering, and data loss prevention, ensuring secure internet access and compliance for organizations with flexible deployment options and comprehensive web security features.
This integration collects access logs from the Broadcom Cloud platform.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Broadcom Cloud Secure Web Gateway. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Broadcom Cloud Secure Web Gateway on ATT&CK Navigator
Bazar Loader DGA (Domain Generation Algorithm)
Detects Bazar Loader domains based on the Bazar Loader DGA
- Effort: elementary
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Nimbo-C2 User Agent
Nimbo-C2 Uses an unusual User-Agent format in its implants.
- Effort: intermediate
Potential Azure AD Phishing Page (Adversary-in-the-Middle)
Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication.
- Effort: intermediate
Potential Bazar Loader User-Agents
Detects potential Bazar loader communications through the user-agent
- Effort: elementary
Potential Lemon Duck User-Agent
Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".
- Effort: elementary
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
Sliver DNS Beaconing
Detects suspicious DNS queries known from Sliver beaconing
- Effort: intermediate
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Web logs |
collect network activities from source |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | web |
| Type | access |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": " {\n \"count\": 1000,\n \"application-name\": \"App1\",\n \"c-ip-subnet\": \"192.168.1.0/24\",\n \"cs(referer)\": \"http://example.com\",\n \"cs(User-Agent)\": \"Mozilla/5.0\",\n \"cs(x-requested-with)\": \"XMLHttpRequest\",\n \"cs-auth-group\": \"Group1\",\n \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n \"cs-bytes\": 1024,\n \"cs-categories\": [\"Category1\", \"Category2\"],\n \"cs-host\": \"example.com\",\n \"cs-icap-error-details\": \"ErrorDetails\",\n \"cs-icap-service\": \"ICAPService1\",\n \"cs-icap-status\": \"ICAPStatus1\",\n \"c-ip\": \"192.168.1.1\",\n \"cs-method\": \"GET\",\n \"cs-threat-risk\": \"High\",\n \"cs-uri-extension\": \".html\",\n \"cs-uri-path\": \"/path/to/resource\",\n \"cs-uri-port\": 80,\n \"cs-uri-query\": \"param=value\",\n \"cs-uri-scheme\": \"http\",\n \"cs-userdn\": \"user@example.com\",\n \"cs-version\": \"HTTP/1.1\",\n \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n \"date\": \"2024-01-17\",\n \"ear-cas-file-reputation-score\": 95,\n \"ear-cs-referer\": \"http://referrer.com\",\n \"ear-upload-source\": \"Internal\",\n \"isolation-url\": \"http://isolation.example.com\",\n \"ma-detonated\": true,\n \"page-views\": 10,\n \"r-ip\": \"10.0.0.1\",\n \"r-supplier-country\": \"US\",\n \"risk-groups\": [\"GroupA\", \"GroupB\"],\n \"rs(content-type)\": \"text/html\",\n \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n \"rs-icap-service\": \"RSICAPService1\",\n \"rs-icap-status\": \"RSICAPStatus1\",\n \"rs-version\": \"HTTP/1.1\",\n \"s-action\": \"Allow\",\n \"s-ip\": \"192.168.2.1\",\n \"s-source-ip\": \"192.168.2.2\",\n \"s-supplier-country\": \"CA\",\n \"s-supplier-failures\": 2,\n \"s-supplier-ip\": \"192.168.2.3\",\n \"sc-bytes\": 2048,\n \"sc-filter-result\": \"Allowed\",\n \"sc-status\": 200,\n \"search-terms\": \"keyword1 keyword2\",\n \"time\": \"12:34:56\",\n \"time-taken\": 500,\n \"upload-source\": \"External\",\n \"verdict\": \"Clean\",\n \"x-bluecoat-access-type\": \"Direct\",\n \"x-bluecoat-appliance-name\": \"Appliance1\",\n \"x-bluecoat-application-name\": \"App2\",\n \"x-bluecoat-application-operation\": \"Operation1\",\n \"x-bluecoat-location-id\": \"Location1\",\n \"x-bluecoat-location-name\": \"LocationName1\",\n \"x-bluecoat-reference-id\": \"ReferenceID1\",\n \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n \"x-bluecoat-placeholder\": \"Placeholder1\",\n \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n \"x-client-agent-sw\": \"AgentSoftware1\",\n \"x-client-agent-type\": \"AgentType1\",\n \"x-client-device-id\": \"DeviceID1\",\n \"x-client-device-name\": \"DeviceName1\",\n \"x-client-device-type\": \"DeviceType1\",\n \"x-client-os\": \"OS1\",\n \"x-cloud-rs\": \"CloudRS1\",\n \"x-client-security-posture-details\": \"SecurityDetails1\",\n \"x-client-security-posture-risk-score\": 75,\n \"s-computername\": \"Computer1\",\n \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n \"x-cs-certificate-subject\": \"CertificateSubject1\",\n \"x-cs-client-ip-country\": \"DE\",\n \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n \"x-cs-connection-negotiated-cipher-size\": 128,\n \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n \"x-cs-ocsp-error\": \"OCSPError1\",\n \"x-data-leak-detected\": false,\n \"x-dns-cs-address\": \"DNSAddress1\",\n \"x-dns-cs-category\": \"DNSCategory1\",\n \"x-dns-cs-dns\": \"DNSName1\",\n \"x-dns-cs-opcode\": \"DNSOpcode1\",\n \"x-dns-cs-qclass\": \"DNSQClass1\",\n \"x-dns-cs-qtype\": \"DNSQType1\",\n \"x-dns-cs-threat-risk-level\": \"High\",\n \"x-dns-cs-transport\": \"DNSTransport1\",\n \"x-dns-lookup-time\": 50,\n \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n \"x-dns-rs-rcode\": \"NoError,NoError1\",\n \"x-exception-id\": \"ExceptionID1\",\n \"x-http-connect-host\": \"ConnectHost1\",\n \"x-http-connect-port\": 8080,\n \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n \"x-random-ipv6\": \"2001:db8::1\",\n \"x-request-origin\": \"Origin1\",\n \"x-rs-certificate-hostname\": \"RSHostname1\",\n \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n \"x-rs-certificate-observed-errors\": 3,\n \"x-rs-certificate-validate-status\": \"Valid\",\n \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n \"x-rs-connection-negotiated-cipher-size\": 256,\n \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n \"x-rs-ocsp-error\": \"RSOCSPError1\",\n \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n \"x-sr-vpop-country\": \"SRVPopCountry1\",\n \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n \"x-sr-vpop-ip\": \"SRVPopIP1\",\n \"x-symc-dei-app\": \"DEIApp1\",\n \"x-symc-dei-via\": \"DEIVia1\",\n \"x-timestamp-unix\": 1642419296,\n \"x-virus-id\": \"VirusID1\"\n }",
"event": {
"action": "Allow",
"category": [
"web"
],
"duration": 500000000,
"type": [
"access"
]
},
"@timestamp": "2024-01-17T12:34:56Z",
"broadcom": {
"data_leak_detected": "False",
"file_reputation_score": "95",
"forwarded_for": "192.168.0.1",
"threat_risk": {
"certificate_hostname": "Low",
"dns_lvl": "High",
"lvl": "High"
},
"virus_id": "VirusID1"
},
"client": {
"address": "192.168.1.1",
"bytes": 1024,
"ip": "192.168.1.1",
"user": {
"name": "user@example.com"
}
},
"dns": {
"answers": [
{
"data": "1.2.3.4",
"type": "A"
},
{
"data": "5.6.7.8",
"type": "A"
},
{
"data": "cname1.example.com",
"type": "CNAME"
},
{
"data": "cname2.example.com",
"type": "CNAME"
},
{
"data": "ptr1.example.com",
"type": "PTR"
},
{
"data": "ptr2.example.com",
"type": "PTR"
},
{
"data": "NoError",
"type": "RCODE"
},
{
"data": "NoError1",
"type": "RCODE"
}
],
"op_code": "DNSOpcode1",
"question": {
"class": "DNSQClass1",
"name": "DNSName1",
"type": "DNSQType1"
}
},
"host": {
"os": {
"full": "OS1"
}
},
"http": {
"request": {
"method": "GET"
},
"response": {
"status_code": 200
}
},
"network": {
"application": "App1"
},
"observer": {
"name": "Computer1",
"product": "Cloud Secure Web Gateway",
"vendor": "Broadcom"
},
"related": {
"hosts": [
"DNSName1",
"example.com"
],
"ip": [
"192.168.1.1",
"192.168.2.1"
],
"user": [
"user@example.com"
]
},
"sekoiaio": {
"repeat": {
"count": "1000"
}
},
"server": {
"bytes": 2048,
"ip": "192.168.2.1"
},
"tls": {
"server": {
"x509": {
"alternative_names": [
"RSHostname1"
]
}
}
},
"url": {
"domain": "example.com",
"path": "/path/to/resource",
"port": 80,
"query": "param=value",
"registered_domain": "example.com",
"scheme": "http",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0",
"os": {
"name": "Other"
}
}
}
{
"message": " {\n\"application-name\": \"App1\",\n \"c-ip-subnet\": \"192.168.1.0/24\",\n \"cs(referer)\": \"http://example.com\",\n \"cs(User-Agent)\": \"Mozilla/5.0\",\n \"cs(x-requested-with)\": \"XMLHttpRequest\",\n \"cs-auth-group\": \"Group1\",\n \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n \"cs-bytes\": 1024,\n \"cs-categories\": [\"Category1\", \"Category2\"],\n \"cs-host\": \"example.com\",\n \"cs-icap-error-details\": \"ErrorDetails\",\n \"cs-icap-service\": \"ICAPService1\",\n \"cs-icap-status\": \"ICAPStatus1\",\n \"c-ip\": \"192.168.1.1\",\n \"cs-method\": \"GET\",\n \"cs-threat-risk\": \"High\",\n \"cs-uri-extension\": \".html\",\n \"cs-uri-path\": \"/path/to/resource\",\n \"cs-uri-port\": 80,\n \"cs-uri-query\": \"param=value\",\n \"cs-uri-scheme\": \"http\",\n \"cs-userdn\": \"user@example.com\",\n \"cs-version\": \"HTTP/1.1\",\n \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n \"date\": \"2024-01-17\",\n \"ear-cas-file-reputation-score\": 95,\n \"ear-cs-referer\": \"http://referrer.com\",\n \"ear-upload-source\": \"Internal\",\n \"isolation-url\": \"http://isolation.example.com\",\n \"ma-detonated\": true,\n \"page-views\": 10,\n \"r-ip\": \"10.0.0.1\",\n \"r-supplier-country\": \"US\",\n \"risk-groups\": [\"GroupA\", \"GroupB\"],\n \"rs(content-type)\": \"text/html\",\n \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n \"rs-icap-service\": \"RSICAPService1\",\n \"rs-icap-status\": \"RSICAPStatus1\",\n \"rs-version\": \"HTTP/1.1\",\n \"s-action\": \"Allow\",\n \"s-ip\": \"192.168.2.1\",\n \"s-source-ip\": \"192.168.2.2\",\n \"s-supplier-country\": \"CA\",\n \"s-supplier-failures\": 2,\n \"s-supplier-ip\": \"192.168.2.3\",\n \"sc-bytes\": 2048,\n \"sc-filter-result\": \"Allowed\",\n \"sc-status\": 200,\n \"search-terms\": \"keyword1 keyword2\",\n \"time\": \"12:34:56\",\n \"upload-source\": \"External\",\n \"verdict\": \"Clean\",\n \"x-bluecoat-access-type\": \"Direct\",\n \"x-bluecoat-appliance-name\": \"Appliance1\",\n \"x-bluecoat-application-name\": \"App2\",\n \"x-bluecoat-application-operation\": \"Operation1\",\n \"x-bluecoat-location-id\": \"Location1\",\n \"x-bluecoat-location-name\": \"LocationName1\",\n \"x-bluecoat-reference-id\": \"ReferenceID1\",\n \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n \"x-bluecoat-placeholder\": \"Placeholder1\",\n \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n \"x-client-agent-sw\": \"AgentSoftware1\",\n \"x-client-agent-type\": \"AgentType1\",\n \"x-client-device-id\": \"DeviceID1\",\n \"x-client-device-name\": \"DeviceName1\",\n \"x-client-device-type\": \"DeviceType1\",\n \"x-client-os\": \"OS1\",\n \"x-cloud-rs\": \"CloudRS1\",\n \"x-client-security-posture-details\": \"SecurityDetails1\",\n \"x-client-security-posture-risk-score\": 75,\n \"s-computername\": \"Computer1\",\n \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n \"x-cs-certificate-subject\": \"CertificateSubject1\",\n \"x-cs-client-ip-country\": \"DE\",\n \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n \"x-cs-connection-negotiated-cipher-size\": 128,\n \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n \"x-cs-ocsp-error\": \"OCSPError1\",\n \"x-data-leak-detected\": false,\n \"x-dns-cs-address\": \"DNSAddress1\",\n \"x-dns-cs-category\": \"DNSCategory1\",\n \"x-dns-cs-dns\": \"DNSName1\",\n \"x-dns-cs-opcode\": \"DNSOpcode1\",\n \"x-dns-cs-qclass\": \"DNSQClass1\",\n \"x-dns-cs-qtype\": \"DNSQType1\",\n \"x-dns-cs-threat-risk-level\": \"High\",\n \"x-dns-cs-transport\": \"DNSTransport1\",\n \"x-dns-lookup-time\": 50,\n \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n \"x-dns-rs-rcode\": \"NoError,NoError1\",\n \"x-exception-id\": \"ExceptionID1\",\n \"x-http-connect-host\": \"ConnectHost1\",\n \"x-http-connect-port\": 8080,\n \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n \"x-random-ipv6\": \"2001:db8::1\",\n \"x-request-origin\": \"Origin1\",\n \"x-rs-certificate-hostname\": \"RSHostname1\",\n \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n \"x-rs-certificate-observed-errors\": 3,\n \"x-rs-certificate-validate-status\": \"Valid\",\n \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n \"x-rs-connection-negotiated-cipher-size\": 256,\n \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n \"x-rs-ocsp-error\": \"RSOCSPError1\",\n \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n \"x-sr-vpop-country\": \"SRVPopCountry1\",\n \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n \"x-sr-vpop-ip\": \"SRVPopIP1\",\n \"x-symc-dei-app\": \"DEIApp1\",\n \"x-symc-dei-via\": \"DEIVia1\",\n \"x-timestamp-unix\": 1642419296,\n \"x-virus-id\": \"VirusID1\"\n }",
"event": {
"action": "Allow",
"category": [
"web"
],
"type": [
"access"
]
},
"@timestamp": "2024-01-17T12:34:56Z",
"broadcom": {
"data_leak_detected": "False",
"file_reputation_score": "95",
"forwarded_for": "192.168.0.1",
"threat_risk": {
"certificate_hostname": "Low",
"dns_lvl": "High",
"lvl": "High"
},
"virus_id": "VirusID1"
},
"client": {
"address": "192.168.1.1",
"bytes": 1024,
"ip": "192.168.1.1",
"user": {
"name": "user@example.com"
}
},
"dns": {
"answers": [
{
"data": "1.2.3.4",
"type": "A"
},
{
"data": "5.6.7.8",
"type": "A"
},
{
"data": "cname1.example.com",
"type": "CNAME"
},
{
"data": "cname2.example.com",
"type": "CNAME"
},
{
"data": "ptr1.example.com",
"type": "PTR"
},
{
"data": "ptr2.example.com",
"type": "PTR"
},
{
"data": "NoError",
"type": "RCODE"
},
{
"data": "NoError1",
"type": "RCODE"
}
],
"op_code": "DNSOpcode1",
"question": {
"class": "DNSQClass1",
"name": "DNSName1",
"type": "DNSQType1"
}
},
"host": {
"os": {
"full": "OS1"
}
},
"http": {
"request": {
"method": "GET"
},
"response": {
"status_code": 200
}
},
"network": {
"application": "App1"
},
"observer": {
"name": "Computer1",
"product": "Cloud Secure Web Gateway",
"vendor": "Broadcom"
},
"related": {
"hosts": [
"DNSName1",
"example.com"
],
"ip": [
"192.168.1.1",
"192.168.2.1"
],
"user": [
"user@example.com"
]
},
"server": {
"bytes": 2048,
"ip": "192.168.2.1"
},
"tls": {
"server": {
"x509": {
"alternative_names": [
"RSHostname1"
]
}
}
},
"url": {
"domain": "example.com",
"path": "/path/to/resource",
"port": 80,
"query": "param=value",
"registered_domain": "example.com",
"scheme": "http",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0",
"os": {
"name": "Other"
}
}
}
{
"message": " {\n\"time-taken\": \"random word\", \"application-name\": \"App1\",\n \"c-ip-subnet\": \"192.168.1.0/24\",\n \"cs(referer)\": \"http://example.com\",\n \"cs(User-Agent)\": \"Mozilla/5.0\",\n \"cs(x-requested-with)\": \"XMLHttpRequest\",\n \"cs-auth-group\": \"Group1\",\n \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n \"cs-bytes\": 1024,\n \"cs-categories\": [\"Category1\", \"Category2\"],\n \"cs-host\": \"example.com\",\n \"cs-icap-error-details\": \"ErrorDetails\",\n \"cs-icap-service\": \"ICAPService1\",\n \"cs-icap-status\": \"ICAPStatus1\",\n \"c-ip\": \"192.168.1.1\",\n \"cs-method\": \"GET\",\n \"cs-threat-risk\": \"High\",\n \"cs-uri-extension\": \".html\",\n \"cs-uri-path\": \"/path/to/resource\",\n \"cs-uri-port\": 80,\n \"cs-uri-query\": \"param=value\",\n \"cs-uri-scheme\": \"http\",\n \"cs-userdn\": \"user@example.com\",\n \"cs-version\": \"HTTP/1.1\",\n \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n \"date\": \"2024-01-17\",\n \"ear-cas-file-reputation-score\": 95,\n \"ear-cs-referer\": \"http://referrer.com\",\n \"ear-upload-source\": \"Internal\",\n \"isolation-url\": \"http://isolation.example.com\",\n \"ma-detonated\": true,\n \"page-views\": 10,\n \"r-ip\": \"10.0.0.1\",\n \"r-supplier-country\": \"US\",\n \"risk-groups\": [\"GroupA\", \"GroupB\"],\n \"rs(content-type)\": \"text/html\",\n \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n \"rs-icap-service\": \"RSICAPService1\",\n \"rs-icap-status\": \"RSICAPStatus1\",\n \"rs-version\": \"HTTP/1.1\",\n \"s-action\": \"Allow\",\n \"s-ip\": \"192.168.2.1\",\n \"s-source-ip\": \"192.168.2.2\",\n \"s-supplier-country\": \"CA\",\n \"s-supplier-failures\": 2,\n \"s-supplier-ip\": \"192.168.2.3\",\n \"sc-bytes\": 2048,\n \"sc-filter-result\": \"Allowed\",\n \"sc-status\": 200,\n \"search-terms\": \"keyword1 keyword2\",\n \"time\": \"12:34:56\",\n \"upload-source\": \"External\",\n \"verdict\": \"Clean\",\n \"x-bluecoat-access-type\": \"Direct\",\n \"x-bluecoat-appliance-name\": \"Appliance1\",\n \"x-bluecoat-application-name\": \"App2\",\n \"x-bluecoat-application-operation\": \"Operation1\",\n \"x-bluecoat-location-id\": \"Location1\",\n \"x-bluecoat-location-name\": \"LocationName1\",\n \"x-bluecoat-reference-id\": \"ReferenceID1\",\n \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n \"x-bluecoat-placeholder\": \"Placeholder1\",\n \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n \"x-client-agent-sw\": \"AgentSoftware1\",\n \"x-client-agent-type\": \"AgentType1\",\n \"x-client-device-id\": \"DeviceID1\",\n \"x-client-device-name\": \"DeviceName1\",\n \"x-client-device-type\": \"DeviceType1\",\n \"x-client-os\": \"OS1\",\n \"x-cloud-rs\": \"CloudRS1\",\n \"x-client-security-posture-details\": \"SecurityDetails1\",\n \"x-client-security-posture-risk-score\": 75,\n \"s-computername\": \"Computer1\",\n \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n \"x-cs-certificate-subject\": \"CertificateSubject1\",\n \"x-cs-client-ip-country\": \"DE\",\n \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n \"x-cs-connection-negotiated-cipher-size\": 128,\n \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n \"x-cs-ocsp-error\": \"OCSPError1\",\n \"x-data-leak-detected\": false,\n \"x-dns-cs-address\": \"DNSAddress1\",\n \"x-dns-cs-category\": \"DNSCategory1\",\n \"x-dns-cs-dns\": \"DNSName1\",\n \"x-dns-cs-opcode\": \"DNSOpcode1\",\n \"x-dns-cs-qclass\": \"DNSQClass1\",\n \"x-dns-cs-qtype\": \"DNSQType1\",\n \"x-dns-cs-threat-risk-level\": \"High\",\n \"x-dns-cs-transport\": \"DNSTransport1\",\n \"x-dns-lookup-time\": 50,\n \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n \"x-dns-rs-rcode\": \"NoError,NoError1\",\n \"x-exception-id\": \"ExceptionID1\",\n \"x-http-connect-host\": \"ConnectHost1\",\n \"x-http-connect-port\": 8080,\n \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n \"x-random-ipv6\": \"2001:db8::1\",\n \"x-request-origin\": \"Origin1\",\n \"x-rs-certificate-hostname\": \"RSHostname1\",\n \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n \"x-rs-certificate-observed-errors\": 3,\n \"x-rs-certificate-validate-status\": \"Valid\",\n \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n \"x-rs-connection-negotiated-cipher-size\": 256,\n \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n \"x-rs-ocsp-error\": \"RSOCSPError1\",\n \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n \"x-sr-vpop-country\": \"SRVPopCountry1\",\n \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n \"x-sr-vpop-ip\": \"SRVPopIP1\",\n \"x-symc-dei-app\": \"DEIApp1\",\n \"x-symc-dei-via\": \"DEIVia1\",\n \"x-timestamp-unix\": 1642419296,\n \"x-virus-id\": \"VirusID1\"\n }",
"event": {
"action": "Allow",
"category": [
"web"
],
"type": [
"access"
]
},
"@timestamp": "2024-01-17T12:34:56Z",
"broadcom": {
"data_leak_detected": "False",
"file_reputation_score": "95",
"forwarded_for": "192.168.0.1",
"threat_risk": {
"certificate_hostname": "Low",
"dns_lvl": "High",
"lvl": "High"
},
"virus_id": "VirusID1"
},
"client": {
"address": "192.168.1.1",
"bytes": 1024,
"ip": "192.168.1.1",
"user": {
"name": "user@example.com"
}
},
"dns": {
"answers": [
{
"data": "1.2.3.4",
"type": "A"
},
{
"data": "5.6.7.8",
"type": "A"
},
{
"data": "cname1.example.com",
"type": "CNAME"
},
{
"data": "cname2.example.com",
"type": "CNAME"
},
{
"data": "ptr1.example.com",
"type": "PTR"
},
{
"data": "ptr2.example.com",
"type": "PTR"
},
{
"data": "NoError",
"type": "RCODE"
},
{
"data": "NoError1",
"type": "RCODE"
}
],
"op_code": "DNSOpcode1",
"question": {
"class": "DNSQClass1",
"name": "DNSName1",
"type": "DNSQType1"
}
},
"host": {
"os": {
"full": "OS1"
}
},
"http": {
"request": {
"method": "GET"
},
"response": {
"status_code": 200
}
},
"network": {
"application": "App1"
},
"observer": {
"name": "Computer1",
"product": "Cloud Secure Web Gateway",
"vendor": "Broadcom"
},
"related": {
"hosts": [
"DNSName1",
"example.com"
],
"ip": [
"192.168.1.1",
"192.168.2.1"
],
"user": [
"user@example.com"
]
},
"server": {
"bytes": 2048,
"ip": "192.168.2.1"
},
"tls": {
"server": {
"x509": {
"alternative_names": [
"RSHostname1"
]
}
}
},
"url": {
"domain": "example.com",
"path": "/path/to/resource",
"port": 80,
"query": "param=value",
"registered_domain": "example.com",
"scheme": "http",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0",
"os": {
"name": "Other"
}
}
}
{
"message": "{\"x-bluecoat-request-tenant-id\":\"111\",\"date\":\"2024-03-04\",\"time\":\"16:55:02\",\"x-bluecoat-appliance-name\":\"test_name\",\"time-taken\":\"28\",\"c-ip\":\"1.2.3.4\",\"cs-userdn\":\"AAAAADASD\\\\123123\",\"sc-filter-result\":\"OBSERVED\",\"cs-categories\":\"Entertainment;Radio/Audio Streams\",\"sc-status\":\"0\",\"cs-method\":\"unknown\",\"cs-uri-scheme\":\"ssl\",\"cs-host\":\"test.test.com\",\"cs-uri-port\":\"443\",\"cs-uri-path\":\"/\",\"s-ip\":\"1.2.3.4\",\"sc-bytes\":\"0\",\"cs-bytes\":\"0\",\"x-bluecoat-location-id\":\"0\",\"x-bluecoat-location-name\":\"client\",\"x-bluecoat-access-type\":\"client_connector\",\"x-bluecoat-application-name\":\"Test\",\"r-ip\":\"1.2.3.4\",\"r-supplier-country\":\"United States\",\"x-rs-certificate-validate-status\":\"CERT_VALID\",\"x-rs-certificate-observed-errors\":\"none\",\"x-rs-connection-negotiated-ssl-version\":\"TLSv1.3\",\"x-rs-connection-negotiated-cipher\":\"TLS_AES_256_GCM_SHA384\",\"x-rs-connection-negotiated-cipher-size\":\"256\",\"x-rs-certificate-hostname\":\"*.test.com\",\"x-rs-certificate-hostname-categories\":\"Entertainment;Radio/Audio Streams\",\"x-cs-connection-negotiated-ssl-version\":\"TLSv1.3\",\"x-cs-connection-negotiated-cipher\":\"TLS_AES_256_GCM_SHA384\",\"x-cs-connection-negotiated-cipher-size\":\"256\",\"cs-icap-status\":\"ICAP_NOT_SCANNED\",\"rs-icap-status\":\"ICAP_NOT_SCANNED\",\"s-supplier-country\":\"United States\",\"s-supplier-failures\":\"%21.2.3.4|United%20States|timeout%22\",\"x-cs-client-ip-country\":\"Sweden\",\"cs-threat-risk\":\"2\",\"x-rs-certificate-hostname-threat-risk\":\"2\",\"x-client-agent-type\":\"wss-agent\",\"x-client-os\":\"architecture=x86_64 name=Windows 10 Enterprise version=1.0.1\",\"x-client-agent-sw\":\"1.2.3.45454\",\"x-client-device-id\":\"7a6f3564-505c-44c4-a079-Fgdgd\",\"x-client-device-name\":\"ieieuer1234\",\"x-sc-connection-issuer-keyring\":\"SSL_Intercept_1\",\"x-random-ipv6\":\"2001:0DB8:1eb4:5150:2222:3333:60c7:3ede\",\"x-bluecoat-transaction-uuid\\r\":\"c6fae686915242c5-000000003e8a7faf-0000000065e5fce6\\r\"}",
"event": {
"category": [
"web"
],
"duration": 28000000,
"type": [
"access"
]
},
"@timestamp": "2024-03-04T16:55:02Z",
"broadcom": {
"threat_risk": {
"certificate_hostname": "2",
"lvl": "2"
}
},
"client": {
"address": "1.2.3.4",
"bytes": 0,
"ip": "1.2.3.4",
"user": {
"name": "AAAAADASD\\123123"
}
},
"dns": {
"answers": []
},
"host": {
"os": {
"full": "architecture=x86_64 name=Windows 10 Enterprise version=1.0.1"
}
},
"http": {
"request": {
"method": "unknown"
},
"response": {
"status_code": 0
}
},
"observer": {
"product": "Cloud Secure Web Gateway",
"vendor": "Broadcom"
},
"related": {
"hosts": [
"test.test.com"
],
"ip": [
"1.2.3.4"
],
"user": [
"AAAAADASD\\123123"
]
},
"server": {
"bytes": 0,
"ip": "1.2.3.4"
},
"tls": {
"server": {
"x509": {
"alternative_names": [
"*.test.com"
]
}
}
},
"url": {
"domain": "test.test.com",
"path": "/",
"port": 443,
"registered_domain": "test.com",
"scheme": "ssl",
"subdomain": "test",
"top_level_domain": "com"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
broadcom.data_leak_detected |
keyword |
Broadcom data leak detected |
broadcom.file_reputation_score |
keyword |
Broadcom file reputation score |
broadcom.forwarded_for |
keyword |
Broadcom forwarded for |
broadcom.threat_risk.certificate_hostname |
keyword |
Broadcom threat risk certificate hostname |
broadcom.threat_risk.dns_lvl |
keyword |
Broadcom threat risk dns lvl |
broadcom.threat_risk.lvl |
keyword |
Broadcom threat risk lvl |
broadcom.virus_id |
keyword |
Broadcom virus id |
client.bytes |
long |
Bytes sent from the client to the server. |
client.ip |
ip |
IP address of the client. |
client.user.name |
keyword |
Short name or login of the user. |
dns.answers |
object |
Array of DNS answers. |
dns.op_code |
keyword |
The DNS operation code that specifies the kind of query in the message. |
dns.question.class |
keyword |
The class of records being queried. |
dns.question.name |
keyword |
The name being queried. |
dns.question.type |
keyword |
The type of record being queried. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.duration |
long |
Duration of the event in nanoseconds. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.os.full |
keyword |
Operating system name, including the version or code name. |
http.request.method |
keyword |
HTTP request method. |
http.response.status_code |
long |
HTTP response status code. |
network.application |
keyword |
Application level protocol name. |
observer.name |
keyword |
Custom name of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
server.bytes |
long |
Bytes sent from the server to the client. |
server.ip |
ip |
IP address of the server. |
tls.server.x509.alternative_names |
keyword |
List of subject alternative names (SAN). |
url.domain |
keyword |
Domain of the url. |
url.path |
wildcard |
Path of the request, such as "/search". |
url.port |
long |
Port of the request, such as 443. |
url.query |
keyword |
Query string of the request. |
url.scheme |
keyword |
Scheme of the url. |
user_agent.original |
keyword |
Unparsed user_agent string. |
Configure
This setup guide will show you how to provide an integration between Broadcom Cloud Secure Web Gateway events and Sekoia.io.
Prerequisites
- Broadcom Cloud Secure Web Gateway platform account
- Access to Sekoia.io Intakes and Playbook pages with write permissions
Generate Broadcom Cloud SWG credentials credentials
This instruction will share all necessary steps you should follow to generate credentials to interact with API:
- In the Cloud SWG portal, select Account ConfigurationAPI Credentials.
- Click
Add API Credentials. -
The New API Credential dialog will contain randomly generated characters in the
UsernameandPasswordfields. Save them.
Find more information in official Documentation
Sekoia.io configuration procedure
Create an intake
Go to the intake page and create a new intake from the format Broadcom Cloud SWG. Copy the intake key.
Pull events
To start to pull events, you have to:
- Go to the playbooks page and create a new playbook with the
Get Broadcom Cloud SWG eventstrigger - Set up the module configuration with the username and the password. Set up the trigger configuration with the intake key
- Start the playbook and enjoy your events