{ attributes: { "metadata.version": "2.0.0", "dataSource.vendor": "MikroTik", "dataSource.name": "MikroTik RouterOS", "dataSource.category": "security", "Category": "security", "metadata.product.vendor_name": "MikroTik", "metadata.product.name": "RouterOS", "metadata.log_provider": "syslog", "severity_id": 1, "severity": "Informational" }, patterns: { ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", ipv6: "[0-9a-fA-F:]+", mac: "[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}", num: "\\d+", word: "\\w+", iface: "[\\w().-]+", proto: "[A-Z]+", signal: "-?\\d+", ts: "\\w+/\\d+/\\d+ \\d+:\\d+:\\d+|\\d+:\\d+:\\d+", rest: ".*" }, formats: [ // ═══════════════════════════════════════════════════════════════════════════ // FIREWALL (Network Activity 4001) // ═══════════════════════════════════════════════════════════════════════════ // input: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto UDP, 10.1.101.1:520->10.1.101.255:520, len 452 { id: "firewall_full", attributes: { class_uid: 4001, class_name: "Network Activity", category_uid: 4, category_name: "Network Activity", activity_id: 6, activity_name: "Traffic", type_uid: 400106 }, format: "$chain=word$: in:$in_iface=iface$ out:$out_iface=iface$, src-mac $src_mac=mac$, proto $protocol=proto$, $src_ip=ipv4$:$src_port=num$->$dst_ip=ipv4$:$dst_port=num$, len $pkt_len=num$", halt: true }, // forward: in:ether1 out:ether2, connection-state:established, src-mac 00:11:22:33:44:55 { id: "firewall_conntrack", attributes: { class_uid: 4001, class_name: "Network Activity", category_uid: 4, category_name: "Network Activity", activity_id: 6, activity_name: "Traffic", type_uid: 400106 }, format: "$chain=word$: in:$in_iface=iface$ out:$out_iface=iface$, connection-state:$conn_state=word$, src-mac $src_mac=mac$", halt: true }, // Firewall DROP - appears in XDR as Detection Finding // drop: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto TCP, 10.1.101.1:12345->10.1.101.255:22, len 64 { id: "firewall_drop", attributes: { class_uid: 4002, class_name: "Detection Finding", category_uid: 4, category_name: "Network Activity", activity_id: 1, activity_name: "Create", type_uid: 400201, disposition_id: 2, disposition: "Blocked", severity_id: 3, severity: "Medium", "finding_info.title": "MikroTik Firewall Drop", "finding_info.types": ["Network"], confidence_id: 3, confidence: "High" }, format: "drop: in:$in_iface=iface$ out:$out_iface=iface$, src-mac $src_mac=mac$, proto $protocol=proto$, $src_ip=ipv4$:$src_port=num$->$dst_ip=ipv4$:$dst_port=num$, len $pkt_len=num$", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // DHCP (DHCP Activity 4004) // ═══════════════════════════════════════════════════════════════════════════ // defconf deassigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung { id: "dhcp_deassign", attributes: { class_uid: 4004, class_name: "DHCP Activity", category_uid: 4, category_name: "Network Activity", activity_id: 2, activity_name: "Release", type_uid: 400402 }, format: "$dhcp_server=word$ deassigned $client_ip=ipv4$ for $client_mac=mac$ $hostname=rest$", halt: true }, // defconf assigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung { id: "dhcp_assign", attributes: { class_uid: 4004, class_name: "DHCP Activity", category_uid: 4, category_name: "Network Activity", activity_id: 1, activity_name: "Lease", type_uid: 400401 }, format: "$dhcp_server=word$ assigned $client_ip=ipv4$ for $client_mac=mac$ $hostname=rest$", halt: true }, // dhcp1 got address 192.168.1.100 from 192.168.1.1 { id: "dhcp_client", attributes: { class_uid: 4004, class_name: "DHCP Activity", category_uid: 4, category_name: "Network Activity", activity_id: 1, activity_name: "Lease", type_uid: 400401 }, format: "$dhcp_client=word$ got address $client_ip=ipv4$ from $dhcp_server_ip=ipv4$", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // AUTHENTICATION (Authentication 3002) // ═══════════════════════════════════════════════════════════════════════════ // user admin logged in from 10.1.101.212 via winbox { id: "login", attributes: { class_uid: 3002, class_name: "Authentication", category_uid: 3, category_name: "Identity & Access Management", activity_id: 1, activity_name: "Logon", type_uid: 300201, status_id: 1, status: "Success" }, format: "user $user=word$ logged in from $src_ip=ipv4$ via $method=word$", halt: true }, // user admin logged out from 10.1.101.212 via telnet { id: "logout", attributes: { class_uid: 3002, class_name: "Authentication", category_uid: 3, category_name: "Identity & Access Management", activity_id: 2, activity_name: "Logoff", type_uid: 300202, status_id: 1, status: "Success" }, format: "user $user=word$ logged out from $src_ip=ipv4$ via $method=word$", halt: true }, // login failure for user admin from 10.1.101.50 via ssh // Using Detection Finding class for XDR visibility { id: "login_failure", attributes: { class_uid: 4002, class_name: "Detection Finding", category_uid: 4, category_name: "Network Activity", activity_id: 1, activity_name: "Create", type_uid: 400201, status_id: 2, status: "Failure", severity_id: 3, severity: "Medium", "finding_info.title": "MikroTik Login Failure", "finding_info.types": ["Authentication"], confidence_id: 3, confidence: "High" }, format: "login failure for user $user=word$ from $src_ip=ipv4$ via $method=word$", halt: true }, // connected from 203.0.113.50 { id: "ppp_connect", attributes: { class_uid: 3002, class_name: "Authentication", category_uid: 3, category_name: "Identity & Access Management", activity_id: 1, activity_name: "Logon", type_uid: 300201, status_id: 1, status: "Success", auth_protocol: "PPP" }, format: "<$user$> connected from $src_ip=ipv4$", halt: true }, // disconnected { id: "ppp_disconnect", attributes: { class_uid: 3002, class_name: "Authentication", category_uid: 3, category_name: "Identity & Access Management", activity_id: 2, activity_name: "Logoff", type_uid: 300202, auth_protocol: "PPP" }, format: "<$user$> disconnected", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // CONFIGURATION (Entity Management 5004) // ═══════════════════════════════════════════════════════════════════════════ // mangle rule added by admin { id: "config_added", attributes: { class_uid: 5004, class_name: "Entity Management", category_uid: 5, category_name: "Discovery", activity_id: 1, activity_name: "Create", type_uid: 500401 }, format: "$object=rest$ added by $user=word$", halt: true }, // mangle rule changed by admin { id: "config_changed", attributes: { class_uid: 5004, class_name: "Entity Management", category_uid: 5, category_name: "Discovery", activity_id: 3, activity_name: "Update", type_uid: 500403 }, format: "$object=rest$ changed by $user=word$", halt: true }, // mangle rule moved by admin { id: "config_moved", attributes: { class_uid: 5004, class_name: "Entity Management", category_uid: 5, category_name: "Discovery", activity_id: 3, activity_name: "Update", type_uid: 500403 }, format: "$object=rest$ moved by $user=word$", halt: true }, // item removed by admin { id: "config_removed", attributes: { class_uid: 5004, class_name: "Entity Management", category_uid: 5, category_name: "Discovery", activity_id: 2, activity_name: "Delete", type_uid: 500402 }, format: "$object=rest$ removed by $user=word$", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // SYSTEM (Operating System Patch State 6003) // ═══════════════════════════════════════════════════════════════════════════ // router rebooted { id: "system_reboot", attributes: { class_uid: 6003, class_name: "Operating System Patch State", category_uid: 6, category_name: "Application Activity", activity_id: 0, activity_name: "Unknown", type_uid: 600300, severity_id: 2, severity: "Low" }, format: "router rebooted", halt: true }, // system,error,critical kernel failure { id: "system_critical", attributes: { class_uid: 6003, class_name: "Operating System Patch State", category_uid: 6, category_name: "Application Activity", activity_id: 0, activity_name: "Unknown", type_uid: 600300, severity_id: 5, severity: "Critical" }, format: "kernel $error_msg=rest$", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // WIRELESS (Network Activity 4001) // ═══════════════════════════════════════════════════════════════════════════ // connected, 00:11:22:33:44:55@wlan1, signal-strength=-65 { id: "wireless_connect", attributes: { class_uid: 4001, class_name: "Network Activity", category_uid: 4, category_name: "Network Activity", activity_id: 1, activity_name: "Open", type_uid: 400101 }, format: "connected, $client_mac=mac$@$iface=iface$, signal-strength=$signal=signal$", halt: true }, // disconnected, 00:11:22:33:44:55@wlan1 { id: "wireless_disconnect", attributes: { class_uid: 4001, class_name: "Network Activity", category_uid: 4, category_name: "Network Activity", activity_id: 2, activity_name: "Close", type_uid: 400102 }, format: "disconnected, $client_mac=mac$@$iface=iface$", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // DNS (DNS Activity 4003) // ═══════════════════════════════════════════════════════════════════════════ // dns query from 192.168.1.10: example.com A { id: "dns_query", attributes: { class_uid: 4003, class_name: "DNS Activity", category_uid: 4, category_name: "Network Activity", activity_id: 1, activity_name: "Query", type_uid: 400301 }, format: "dns query from $src_ip=ipv4$: $query_hostname=rest$", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // ROUTING (Network Activity 4001) // ═══════════════════════════════════════════════════════════════════════════ // ospf neighbor 10.0.0.1 state changed to Full { id: "ospf_neighbor", attributes: { class_uid: 4001, class_name: "Network Activity", category_uid: 4, category_name: "Network Activity", activity_id: 5, activity_name: "Update", type_uid: 400105 }, format: "ospf neighbor $neighbor_ip=ipv4$ state changed to $neighbor_state=word$", halt: true }, // bgp peer 10.0.0.2 established { id: "bgp_established", attributes: { class_uid: 4001, class_name: "Network Activity", category_uid: 4, category_name: "Network Activity", activity_id: 1, activity_name: "Open", type_uid: 400101 }, format: "bgp peer $peer_ip=ipv4$ established", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // IPSEC/VPN (Tunnel Activity 4014) // ═══════════════════════════════════════════════════════════════════════════ // ipsec,info phase1 negotiation succeeded for 203.0.113.1 { id: "ipsec_phase1", attributes: { class_uid: 4014, class_name: "Tunnel Activity", category_uid: 4, category_name: "Network Activity", activity_id: 1, activity_name: "Open", type_uid: 401401 }, format: "phase1 negotiation $ipsec_result=word$ for $peer_ip=ipv4$", halt: true }, // ═══════════════════════════════════════════════════════════════════════════ // GENERIC FALLBACK // ═══════════════════════════════════════════════════════════════════════════ { id: "generic", attributes: { class_uid: 4001, class_name: "Network Activity", category_uid: 4, category_name: "Network Activity", activity_id: 0, activity_name: "Unknown", type_uid: 400100 }, format: "$body=rest$" } ], mappings: { version: 1, mappings: [ { transformations: [ { rename: { from: "src_ip", to: "src_endpoint.ip" } }, { rename: { from: "dst_ip", to: "dst_endpoint.ip" } }, { rename: { from: "src_port", to: "src_endpoint.port" } }, { rename: { from: "dst_port", to: "dst_endpoint.port" } }, { rename: { from: "src_mac", to: "src_endpoint.mac" } }, { rename: { from: "in_iface", to: "src_endpoint.interface_name" } }, { rename: { from: "out_iface", to: "dst_endpoint.interface_name" } }, { rename: { from: "protocol", to: "connection_info.protocol_name" } }, { rename: { from: "pkt_len", to: "traffic.bytes" } }, { rename: { from: "client_ip", to: "dst_endpoint.ip" } }, { rename: { from: "client_mac", to: "dst_endpoint.mac" } }, { rename: { from: "user", to: "actor.user.name" } }, { rename: { from: "method", to: "auth_protocol" } }, { rename: { from: "iface", to: "src_endpoint.interface_name" } }, { rename: { from: "signal", to: "unmapped.wireless_signal" } }, { rename: { from: "chain", to: "unmapped.firewall_chain" } }, { rename: { from: "dhcp_server", to: "unmapped.dhcp_server" } }, { rename: { from: "dhcp_server_ip", to: "unmapped.dhcp_server_ip" } }, { rename: { from: "dhcp_client", to: "unmapped.dhcp_client" } }, { rename: { from: "hostname", to: "dst_endpoint.hostname" } }, { rename: { from: "object", to: "unmapped.config_object" } }, { rename: { from: "conn_state", to: "connection_info.state" } }, { rename: { from: "neighbor_ip", to: "dst_endpoint.ip" } }, { rename: { from: "neighbor_state", to: "unmapped.ospf_state" } }, { rename: { from: "peer_ip", to: "dst_endpoint.ip" } }, { rename: { from: "query_hostname", to: "query.hostname" } }, { rename: { from: "ipsec_result", to: "unmapped.ipsec_result" } }, { rename: { from: "error_msg", to: "unmapped.error_message" } }, { rename: { from: "body", to: "unmapped.raw_body" } } ] } ] } }