Skip to content

Broadcom Cloud Secure Web Gateway

Overview

Broadcom Cloud Secure Web Gateway is a cloud-native security solution providing advanced threat protection, content filtering, and data loss prevention, ensuring secure internet access and compliance for organizations with flexible deployment options and comprehensive web security features.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

This integration collects access logs from the Broadcom Cloud platform.

The following Sekoia.io built-in rules match the intake Broadcom Secure Web Gateway [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Broadcom Secure Web Gateway [BETA] on ATT&CK Navigator

Bazar Loader DGA (Domain Generation Algorithm)

Detects Bazar Loader domains based on the Bazar Loader DGA

  • Effort: elementary
Nimbo-C2 User Agent

Nimbo-C2 Uses an unusual User-Agent format in its implants.

  • Effort: intermediate
Potential Azure AD Phishing Page (Adversary-in-the-Middle)

Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication.

  • Effort: intermediate
Potential Bazar Loader User-Agents

Detects potential Bazar loader communications through the user-agent

  • Effort: elementary
Potential Lemon Duck User-Agent

Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".

  • Effort: elementary
Sliver DNS Beaconing

Detects suspicious DNS queries known from Sliver beaconing

  • Effort: intermediate

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Web logs collect network activities from source

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category web
Type access

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": " {\n  \"count\": 1000,\n      \"application-name\": \"App1\",\n        \"c-ip-subnet\": \"192.168.1.0/24\",\n        \"cs(referer)\": \"http://example.com\",\n        \"cs(User-Agent)\": \"Mozilla/5.0\",\n        \"cs(x-requested-with)\": \"XMLHttpRequest\",\n        \"cs-auth-group\": \"Group1\",\n        \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n        \"cs-bytes\": 1024,\n        \"cs-categories\": [\"Category1\", \"Category2\"],\n        \"cs-host\": \"example.com\",\n        \"cs-icap-error-details\": \"ErrorDetails\",\n        \"cs-icap-service\": \"ICAPService1\",\n        \"cs-icap-status\": \"ICAPStatus1\",\n        \"c-ip\": \"192.168.1.1\",\n        \"cs-method\": \"GET\",\n        \"cs-threat-risk\": \"High\",\n        \"cs-uri-extension\": \".html\",\n        \"cs-uri-path\": \"/path/to/resource\",\n        \"cs-uri-port\": 80,\n        \"cs-uri-query\": \"param=value\",\n        \"cs-uri-scheme\": \"http\",\n        \"cs-userdn\": \"user@example.com\",\n        \"cs-version\": \"HTTP/1.1\",\n        \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n        \"date\": \"2024-01-17\",\n        \"ear-cas-file-reputation-score\": 95,\n        \"ear-cs-referer\": \"http://referrer.com\",\n        \"ear-upload-source\": \"Internal\",\n        \"isolation-url\": \"http://isolation.example.com\",\n        \"ma-detonated\": true,\n        \"page-views\": 10,\n        \"r-ip\": \"10.0.0.1\",\n        \"r-supplier-country\": \"US\",\n        \"risk-groups\": [\"GroupA\", \"GroupB\"],\n        \"rs(content-type)\": \"text/html\",\n        \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n        \"rs-icap-service\": \"RSICAPService1\",\n        \"rs-icap-status\": \"RSICAPStatus1\",\n        \"rs-version\": \"HTTP/1.1\",\n        \"s-action\": \"Allow\",\n        \"s-ip\": \"192.168.2.1\",\n        \"s-source-ip\": \"192.168.2.2\",\n        \"s-supplier-country\": \"CA\",\n        \"s-supplier-failures\": 2,\n        \"s-supplier-ip\": \"192.168.2.3\",\n        \"sc-bytes\": 2048,\n        \"sc-filter-result\": \"Allowed\",\n        \"sc-status\": 200,\n        \"search-terms\": \"keyword1 keyword2\",\n        \"time\": \"12:34:56\",\n        \"time-taken\": 500,\n        \"upload-source\": \"External\",\n        \"verdict\": \"Clean\",\n        \"x-bluecoat-access-type\": \"Direct\",\n        \"x-bluecoat-appliance-name\": \"Appliance1\",\n        \"x-bluecoat-application-name\": \"App2\",\n        \"x-bluecoat-application-operation\": \"Operation1\",\n        \"x-bluecoat-location-id\": \"Location1\",\n        \"x-bluecoat-location-name\": \"LocationName1\",\n        \"x-bluecoat-reference-id\": \"ReferenceID1\",\n        \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n        \"x-bluecoat-placeholder\": \"Placeholder1\",\n        \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n        \"x-client-agent-sw\": \"AgentSoftware1\",\n        \"x-client-agent-type\": \"AgentType1\",\n        \"x-client-device-id\": \"DeviceID1\",\n        \"x-client-device-name\": \"DeviceName1\",\n        \"x-client-device-type\": \"DeviceType1\",\n        \"x-client-os\": \"OS1\",\n        \"x-cloud-rs\": \"CloudRS1\",\n        \"x-client-security-posture-details\": \"SecurityDetails1\",\n        \"x-client-security-posture-risk-score\": 75,\n        \"s-computername\": \"Computer1\",\n        \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n        \"x-cs-certificate-subject\": \"CertificateSubject1\",\n        \"x-cs-client-ip-country\": \"DE\",\n        \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n        \"x-cs-connection-negotiated-cipher-size\": 128,\n        \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n        \"x-cs-ocsp-error\": \"OCSPError1\",\n        \"x-data-leak-detected\": false,\n        \"x-dns-cs-address\": \"DNSAddress1\",\n        \"x-dns-cs-category\": \"DNSCategory1\",\n        \"x-dns-cs-dns\": \"DNSName1\",\n        \"x-dns-cs-opcode\": \"DNSOpcode1\",\n        \"x-dns-cs-qclass\": \"DNSQClass1\",\n        \"x-dns-cs-qtype\": \"DNSQType1\",\n        \"x-dns-cs-threat-risk-level\": \"High\",\n        \"x-dns-cs-transport\": \"DNSTransport1\",\n        \"x-dns-lookup-time\": 50,\n        \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n        \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n        \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n        \"x-dns-rs-rcode\": \"NoError,NoError1\",\n        \"x-exception-id\": \"ExceptionID1\",\n        \"x-http-connect-host\": \"ConnectHost1\",\n        \"x-http-connect-port\": 8080,\n        \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n        \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n        \"x-random-ipv6\": \"2001:db8::1\",\n        \"x-request-origin\": \"Origin1\",\n        \"x-rs-certificate-hostname\": \"RSHostname1\",\n        \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n        \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n        \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n        \"x-rs-certificate-observed-errors\": 3,\n        \"x-rs-certificate-validate-status\": \"Valid\",\n        \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n        \"x-rs-connection-negotiated-cipher-size\": 256,\n        \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n        \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n        \"x-rs-ocsp-error\": \"RSOCSPError1\",\n        \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n        \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n        \"x-sr-vpop-country\": \"SRVPopCountry1\",\n        \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n        \"x-sr-vpop-ip\": \"SRVPopIP1\",\n        \"x-symc-dei-app\": \"DEIApp1\",\n        \"x-symc-dei-via\": \"DEIVia1\",\n        \"x-timestamp-unix\": 1642419296,\n        \"x-virus-id\": \"VirusID1\"\n    }",
    "event": {
        "action": "Allow",
        "category": [
            "web"
        ],
        "duration": 500000000,
        "kind": "event",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2024-01-17T12:34:56Z",
    "broadcom": {
        "data_leak_detected": "False",
        "file_reputation_score": "95",
        "forwarded_for": "192.168.0.1",
        "threat_risk": {
            "certificate_hostname": "Low",
            "dns_lvl": "High",
            "lvl": "High"
        },
        "virus_id": "VirusID1"
    },
    "client": {
        "address": "192.168.1.1",
        "bytes": 1024,
        "ip": "192.168.1.1",
        "user": {
            "name": "user@example.com"
        }
    },
    "dns": {
        "answers": [
            {
                "data": "1.2.3.4",
                "type": "A"
            },
            {
                "data": "5.6.7.8",
                "type": "A"
            },
            {
                "data": "cname1.example.com",
                "type": "CNAME"
            },
            {
                "data": "cname2.example.com",
                "type": "CNAME"
            },
            {
                "data": "ptr1.example.com",
                "type": "PTR"
            },
            {
                "data": "ptr2.example.com",
                "type": "PTR"
            },
            {
                "data": "NoError",
                "type": "RCODE"
            },
            {
                "data": "NoError1",
                "type": "RCODE"
            }
        ],
        "op_code": "DNSOpcode1",
        "question": {
            "class": "DNSQClass1",
            "name": "DNSName1",
            "type": "DNSQType1"
        }
    },
    "host": {
        "os": {
            "full": "OS1"
        }
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "status_code": 200
        }
    },
    "network": {
        "application": "App1"
    },
    "observer": {
        "name": "Computer1",
        "product": "Cloud Secure Web Gateway",
        "vendor": "Broadcom"
    },
    "related": {
        "hosts": [
            "DNSName1",
            "example.com"
        ],
        "ip": [
            "192.168.1.1",
            "192.168.2.1"
        ],
        "user": [
            "user@example.com"
        ]
    },
    "sekoiaio": {
        "repeat": {
            "count": "1000"
        }
    },
    "server": {
        "bytes": 2048,
        "ip": "192.168.2.1"
    },
    "tls": {
        "server": {
            "x509": {
                "alternative_names": [
                    "RSHostname1"
                ]
            }
        }
    },
    "url": {
        "domain": "example.com",
        "path": "/path/to/resource",
        "port": 80,
        "query": "param=value",
        "registered_domain": "example.com",
        "scheme": "http",
        "top_level_domain": "com"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "Mozilla/5.0",
        "os": {
            "name": "Other"
        }
    }
}
{
    "message": " {\n\"application-name\": \"App1\",\n        \"c-ip-subnet\": \"192.168.1.0/24\",\n        \"cs(referer)\": \"http://example.com\",\n        \"cs(User-Agent)\": \"Mozilla/5.0\",\n        \"cs(x-requested-with)\": \"XMLHttpRequest\",\n        \"cs-auth-group\": \"Group1\",\n        \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n        \"cs-bytes\": 1024,\n        \"cs-categories\": [\"Category1\", \"Category2\"],\n        \"cs-host\": \"example.com\",\n        \"cs-icap-error-details\": \"ErrorDetails\",\n        \"cs-icap-service\": \"ICAPService1\",\n        \"cs-icap-status\": \"ICAPStatus1\",\n        \"c-ip\": \"192.168.1.1\",\n        \"cs-method\": \"GET\",\n        \"cs-threat-risk\": \"High\",\n        \"cs-uri-extension\": \".html\",\n        \"cs-uri-path\": \"/path/to/resource\",\n        \"cs-uri-port\": 80,\n        \"cs-uri-query\": \"param=value\",\n        \"cs-uri-scheme\": \"http\",\n        \"cs-userdn\": \"user@example.com\",\n        \"cs-version\": \"HTTP/1.1\",\n        \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n        \"date\": \"2024-01-17\",\n        \"ear-cas-file-reputation-score\": 95,\n        \"ear-cs-referer\": \"http://referrer.com\",\n        \"ear-upload-source\": \"Internal\",\n        \"isolation-url\": \"http://isolation.example.com\",\n        \"ma-detonated\": true,\n        \"page-views\": 10,\n        \"r-ip\": \"10.0.0.1\",\n        \"r-supplier-country\": \"US\",\n        \"risk-groups\": [\"GroupA\", \"GroupB\"],\n        \"rs(content-type)\": \"text/html\",\n        \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n        \"rs-icap-service\": \"RSICAPService1\",\n        \"rs-icap-status\": \"RSICAPStatus1\",\n        \"rs-version\": \"HTTP/1.1\",\n        \"s-action\": \"Allow\",\n        \"s-ip\": \"192.168.2.1\",\n        \"s-source-ip\": \"192.168.2.2\",\n        \"s-supplier-country\": \"CA\",\n        \"s-supplier-failures\": 2,\n        \"s-supplier-ip\": \"192.168.2.3\",\n        \"sc-bytes\": 2048,\n        \"sc-filter-result\": \"Allowed\",\n        \"sc-status\": 200,\n        \"search-terms\": \"keyword1 keyword2\",\n        \"time\": \"12:34:56\",\n       \"upload-source\": \"External\",\n        \"verdict\": \"Clean\",\n        \"x-bluecoat-access-type\": \"Direct\",\n        \"x-bluecoat-appliance-name\": \"Appliance1\",\n        \"x-bluecoat-application-name\": \"App2\",\n        \"x-bluecoat-application-operation\": \"Operation1\",\n        \"x-bluecoat-location-id\": \"Location1\",\n        \"x-bluecoat-location-name\": \"LocationName1\",\n        \"x-bluecoat-reference-id\": \"ReferenceID1\",\n        \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n        \"x-bluecoat-placeholder\": \"Placeholder1\",\n        \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n        \"x-client-agent-sw\": \"AgentSoftware1\",\n        \"x-client-agent-type\": \"AgentType1\",\n        \"x-client-device-id\": \"DeviceID1\",\n        \"x-client-device-name\": \"DeviceName1\",\n        \"x-client-device-type\": \"DeviceType1\",\n        \"x-client-os\": \"OS1\",\n        \"x-cloud-rs\": \"CloudRS1\",\n        \"x-client-security-posture-details\": \"SecurityDetails1\",\n        \"x-client-security-posture-risk-score\": 75,\n        \"s-computername\": \"Computer1\",\n        \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n        \"x-cs-certificate-subject\": \"CertificateSubject1\",\n        \"x-cs-client-ip-country\": \"DE\",\n        \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n        \"x-cs-connection-negotiated-cipher-size\": 128,\n        \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n        \"x-cs-ocsp-error\": \"OCSPError1\",\n        \"x-data-leak-detected\": false,\n        \"x-dns-cs-address\": \"DNSAddress1\",\n        \"x-dns-cs-category\": \"DNSCategory1\",\n        \"x-dns-cs-dns\": \"DNSName1\",\n        \"x-dns-cs-opcode\": \"DNSOpcode1\",\n        \"x-dns-cs-qclass\": \"DNSQClass1\",\n        \"x-dns-cs-qtype\": \"DNSQType1\",\n        \"x-dns-cs-threat-risk-level\": \"High\",\n        \"x-dns-cs-transport\": \"DNSTransport1\",\n        \"x-dns-lookup-time\": 50,\n        \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n        \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n        \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n        \"x-dns-rs-rcode\": \"NoError,NoError1\",\n        \"x-exception-id\": \"ExceptionID1\",\n        \"x-http-connect-host\": \"ConnectHost1\",\n        \"x-http-connect-port\": 8080,\n        \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n        \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n        \"x-random-ipv6\": \"2001:db8::1\",\n        \"x-request-origin\": \"Origin1\",\n        \"x-rs-certificate-hostname\": \"RSHostname1\",\n        \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n        \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n        \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n        \"x-rs-certificate-observed-errors\": 3,\n        \"x-rs-certificate-validate-status\": \"Valid\",\n        \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n        \"x-rs-connection-negotiated-cipher-size\": 256,\n        \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n        \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n        \"x-rs-ocsp-error\": \"RSOCSPError1\",\n        \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n        \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n        \"x-sr-vpop-country\": \"SRVPopCountry1\",\n        \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n        \"x-sr-vpop-ip\": \"SRVPopIP1\",\n        \"x-symc-dei-app\": \"DEIApp1\",\n        \"x-symc-dei-via\": \"DEIVia1\",\n        \"x-timestamp-unix\": 1642419296,\n        \"x-virus-id\": \"VirusID1\"\n    }",
    "event": {
        "action": "Allow",
        "category": [
            "web"
        ],
        "kind": "event",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2024-01-17T12:34:56Z",
    "broadcom": {
        "data_leak_detected": "False",
        "file_reputation_score": "95",
        "forwarded_for": "192.168.0.1",
        "threat_risk": {
            "certificate_hostname": "Low",
            "dns_lvl": "High",
            "lvl": "High"
        },
        "virus_id": "VirusID1"
    },
    "client": {
        "address": "192.168.1.1",
        "bytes": 1024,
        "ip": "192.168.1.1",
        "user": {
            "name": "user@example.com"
        }
    },
    "dns": {
        "answers": [
            {
                "data": "1.2.3.4",
                "type": "A"
            },
            {
                "data": "5.6.7.8",
                "type": "A"
            },
            {
                "data": "cname1.example.com",
                "type": "CNAME"
            },
            {
                "data": "cname2.example.com",
                "type": "CNAME"
            },
            {
                "data": "ptr1.example.com",
                "type": "PTR"
            },
            {
                "data": "ptr2.example.com",
                "type": "PTR"
            },
            {
                "data": "NoError",
                "type": "RCODE"
            },
            {
                "data": "NoError1",
                "type": "RCODE"
            }
        ],
        "op_code": "DNSOpcode1",
        "question": {
            "class": "DNSQClass1",
            "name": "DNSName1",
            "type": "DNSQType1"
        }
    },
    "host": {
        "os": {
            "full": "OS1"
        }
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "status_code": 200
        }
    },
    "network": {
        "application": "App1"
    },
    "observer": {
        "name": "Computer1",
        "product": "Cloud Secure Web Gateway",
        "vendor": "Broadcom"
    },
    "related": {
        "hosts": [
            "DNSName1",
            "example.com"
        ],
        "ip": [
            "192.168.1.1",
            "192.168.2.1"
        ],
        "user": [
            "user@example.com"
        ]
    },
    "server": {
        "bytes": 2048,
        "ip": "192.168.2.1"
    },
    "tls": {
        "server": {
            "x509": {
                "alternative_names": [
                    "RSHostname1"
                ]
            }
        }
    },
    "url": {
        "domain": "example.com",
        "path": "/path/to/resource",
        "port": 80,
        "query": "param=value",
        "registered_domain": "example.com",
        "scheme": "http",
        "top_level_domain": "com"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "Mozilla/5.0",
        "os": {
            "name": "Other"
        }
    }
}
{
    "message": " {\n\"time-taken\": \"random word\", \"application-name\": \"App1\",\n        \"c-ip-subnet\": \"192.168.1.0/24\",\n        \"cs(referer)\": \"http://example.com\",\n        \"cs(User-Agent)\": \"Mozilla/5.0\",\n        \"cs(x-requested-with)\": \"XMLHttpRequest\",\n        \"cs-auth-group\": \"Group1\",\n        \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n        \"cs-bytes\": 1024,\n        \"cs-categories\": [\"Category1\", \"Category2\"],\n        \"cs-host\": \"example.com\",\n        \"cs-icap-error-details\": \"ErrorDetails\",\n        \"cs-icap-service\": \"ICAPService1\",\n        \"cs-icap-status\": \"ICAPStatus1\",\n        \"c-ip\": \"192.168.1.1\",\n        \"cs-method\": \"GET\",\n        \"cs-threat-risk\": \"High\",\n        \"cs-uri-extension\": \".html\",\n        \"cs-uri-path\": \"/path/to/resource\",\n        \"cs-uri-port\": 80,\n        \"cs-uri-query\": \"param=value\",\n        \"cs-uri-scheme\": \"http\",\n        \"cs-userdn\": \"user@example.com\",\n        \"cs-version\": \"HTTP/1.1\",\n        \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n        \"date\": \"2024-01-17\",\n        \"ear-cas-file-reputation-score\": 95,\n        \"ear-cs-referer\": \"http://referrer.com\",\n        \"ear-upload-source\": \"Internal\",\n        \"isolation-url\": \"http://isolation.example.com\",\n        \"ma-detonated\": true,\n        \"page-views\": 10,\n        \"r-ip\": \"10.0.0.1\",\n        \"r-supplier-country\": \"US\",\n        \"risk-groups\": [\"GroupA\", \"GroupB\"],\n        \"rs(content-type)\": \"text/html\",\n        \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n        \"rs-icap-service\": \"RSICAPService1\",\n        \"rs-icap-status\": \"RSICAPStatus1\",\n        \"rs-version\": \"HTTP/1.1\",\n        \"s-action\": \"Allow\",\n        \"s-ip\": \"192.168.2.1\",\n        \"s-source-ip\": \"192.168.2.2\",\n        \"s-supplier-country\": \"CA\",\n        \"s-supplier-failures\": 2,\n        \"s-supplier-ip\": \"192.168.2.3\",\n        \"sc-bytes\": 2048,\n        \"sc-filter-result\": \"Allowed\",\n        \"sc-status\": 200,\n        \"search-terms\": \"keyword1 keyword2\",\n        \"time\": \"12:34:56\",\n       \"upload-source\": \"External\",\n        \"verdict\": \"Clean\",\n        \"x-bluecoat-access-type\": \"Direct\",\n        \"x-bluecoat-appliance-name\": \"Appliance1\",\n        \"x-bluecoat-application-name\": \"App2\",\n        \"x-bluecoat-application-operation\": \"Operation1\",\n        \"x-bluecoat-location-id\": \"Location1\",\n        \"x-bluecoat-location-name\": \"LocationName1\",\n        \"x-bluecoat-reference-id\": \"ReferenceID1\",\n        \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n        \"x-bluecoat-placeholder\": \"Placeholder1\",\n        \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n        \"x-client-agent-sw\": \"AgentSoftware1\",\n        \"x-client-agent-type\": \"AgentType1\",\n        \"x-client-device-id\": \"DeviceID1\",\n        \"x-client-device-name\": \"DeviceName1\",\n        \"x-client-device-type\": \"DeviceType1\",\n        \"x-client-os\": \"OS1\",\n        \"x-cloud-rs\": \"CloudRS1\",\n        \"x-client-security-posture-details\": \"SecurityDetails1\",\n        \"x-client-security-posture-risk-score\": 75,\n        \"s-computername\": \"Computer1\",\n        \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n        \"x-cs-certificate-subject\": \"CertificateSubject1\",\n        \"x-cs-client-ip-country\": \"DE\",\n        \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n        \"x-cs-connection-negotiated-cipher-size\": 128,\n        \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n        \"x-cs-ocsp-error\": \"OCSPError1\",\n        \"x-data-leak-detected\": false,\n        \"x-dns-cs-address\": \"DNSAddress1\",\n        \"x-dns-cs-category\": \"DNSCategory1\",\n        \"x-dns-cs-dns\": \"DNSName1\",\n        \"x-dns-cs-opcode\": \"DNSOpcode1\",\n        \"x-dns-cs-qclass\": \"DNSQClass1\",\n        \"x-dns-cs-qtype\": \"DNSQType1\",\n        \"x-dns-cs-threat-risk-level\": \"High\",\n        \"x-dns-cs-transport\": \"DNSTransport1\",\n        \"x-dns-lookup-time\": 50,\n        \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n        \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n        \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n        \"x-dns-rs-rcode\": \"NoError,NoError1\",\n        \"x-exception-id\": \"ExceptionID1\",\n        \"x-http-connect-host\": \"ConnectHost1\",\n        \"x-http-connect-port\": 8080,\n        \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n        \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n        \"x-random-ipv6\": \"2001:db8::1\",\n        \"x-request-origin\": \"Origin1\",\n        \"x-rs-certificate-hostname\": \"RSHostname1\",\n        \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n        \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n        \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n        \"x-rs-certificate-observed-errors\": 3,\n        \"x-rs-certificate-validate-status\": \"Valid\",\n        \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n        \"x-rs-connection-negotiated-cipher-size\": 256,\n        \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n        \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n        \"x-rs-ocsp-error\": \"RSOCSPError1\",\n        \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n        \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n        \"x-sr-vpop-country\": \"SRVPopCountry1\",\n        \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n        \"x-sr-vpop-ip\": \"SRVPopIP1\",\n        \"x-symc-dei-app\": \"DEIApp1\",\n        \"x-symc-dei-via\": \"DEIVia1\",\n        \"x-timestamp-unix\": 1642419296,\n        \"x-virus-id\": \"VirusID1\"\n    }",
    "event": {
        "action": "Allow",
        "category": [
            "web"
        ],
        "kind": "event",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2024-01-17T12:34:56Z",
    "broadcom": {
        "data_leak_detected": "False",
        "file_reputation_score": "95",
        "forwarded_for": "192.168.0.1",
        "threat_risk": {
            "certificate_hostname": "Low",
            "dns_lvl": "High",
            "lvl": "High"
        },
        "virus_id": "VirusID1"
    },
    "client": {
        "address": "192.168.1.1",
        "bytes": 1024,
        "ip": "192.168.1.1",
        "user": {
            "name": "user@example.com"
        }
    },
    "dns": {
        "answers": [
            {
                "data": "1.2.3.4",
                "type": "A"
            },
            {
                "data": "5.6.7.8",
                "type": "A"
            },
            {
                "data": "cname1.example.com",
                "type": "CNAME"
            },
            {
                "data": "cname2.example.com",
                "type": "CNAME"
            },
            {
                "data": "ptr1.example.com",
                "type": "PTR"
            },
            {
                "data": "ptr2.example.com",
                "type": "PTR"
            },
            {
                "data": "NoError",
                "type": "RCODE"
            },
            {
                "data": "NoError1",
                "type": "RCODE"
            }
        ],
        "op_code": "DNSOpcode1",
        "question": {
            "class": "DNSQClass1",
            "name": "DNSName1",
            "type": "DNSQType1"
        }
    },
    "host": {
        "os": {
            "full": "OS1"
        }
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "status_code": 200
        }
    },
    "network": {
        "application": "App1"
    },
    "observer": {
        "name": "Computer1",
        "product": "Cloud Secure Web Gateway",
        "vendor": "Broadcom"
    },
    "related": {
        "hosts": [
            "DNSName1",
            "example.com"
        ],
        "ip": [
            "192.168.1.1",
            "192.168.2.1"
        ],
        "user": [
            "user@example.com"
        ]
    },
    "server": {
        "bytes": 2048,
        "ip": "192.168.2.1"
    },
    "tls": {
        "server": {
            "x509": {
                "alternative_names": [
                    "RSHostname1"
                ]
            }
        }
    },
    "url": {
        "domain": "example.com",
        "path": "/path/to/resource",
        "port": 80,
        "query": "param=value",
        "registered_domain": "example.com",
        "scheme": "http",
        "top_level_domain": "com"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "Mozilla/5.0",
        "os": {
            "name": "Other"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
broadcom.data_leak_detected keyword Broadcom data leak detected
broadcom.file_reputation_score keyword Broadcom file reputation score
broadcom.forwarded_for keyword Broadcom forwarded for
broadcom.threat_risk.certificate_hostname keyword Broadcom threat risk certificate hostname
broadcom.threat_risk.dns_lvl keyword Broadcom threat risk dns lvl
broadcom.threat_risk.lvl keyword Broadcom threat risk lvl
broadcom.virus_id keyword Broadcom virus id
client.bytes long Bytes sent from the client to the server.
client.ip ip IP address of the client.
client.user.name keyword Short name or login of the user.
dns.answers object Array of DNS answers.
dns.op_code keyword The DNS operation code that specifies the kind of query in the message.
dns.question.class keyword The class of records being queried.
dns.question.name keyword The name being queried.
dns.question.type keyword The type of record being queried.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.duration long Duration of the event in nanoseconds.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.type keyword Event type. The third categorization field in the hierarchy.
host.os.full keyword Operating system name, including the version or code name.
http.request.method keyword HTTP request method.
http.response.status_code long HTTP response status code.
network.application keyword Application level protocol name.
observer.name keyword Custom name of the observer.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
server.bytes long Bytes sent from the server to the client.
server.ip ip IP address of the server.
tls.server.x509.alternative_names keyword List of subject alternative names (SAN).
url.domain keyword Domain of the url.
url.path wildcard Path of the request, such as "/search".
url.port long Port of the request, such as 443.
url.query keyword Query string of the request.
url.scheme keyword Scheme of the url.
user_agent.original keyword Unparsed user_agent string.

Configure

This setup guide will show you how to provide an integration between Broadcom Cloud Secure Web Gateway events and Sekoia.io.

Prerequisites

  • Broadcom Cloud Secure Web Gateway platform account
  • Access to Sekoia.io Intakes and Playbook pages with write permissions

Generate Broadcom Cloud SWG credentials credentials

This instruction will share all necessary steps you should follow to generate credentials to interact with API:

  • In the Cloud SWG portal, select Account ConfigurationAPI Credentials.
  • Click Add API Credentials.
  • The New API Credential dialog will contain randomly generated characters in the Username and Password fields. Save them.

    Broadcom Cloud SWG Credentials

Find more information in official Documentation

Sekoia.io configuration procedure

Create an intake

Go to the intake page and create a new intake from the format Broadcom Cloud SWG. Copy the intake key.

Pull events

To start to pull events, you have to:

  1. Go to the playbooks page and create a new playbook with the Get Broadcom Cloud SWG events trigger
  2. Set up the module configuration with the username and the password. Set up the trigger configuration with the intake key
  3. Start the playbook and enjoy your events

Further readings