Add 'DNSFilter' and 'TwinGate' Event Sources

cshanks · February 10, 2023, 10:01pm

I’d love to see an event source for DNSFilter added to the available list of integrations. It’s a solid alternative to Cisco Umbrella, especially when it pertains to Mac devices (which there is already a short list of supported services for when it comes to DNS).

TwinGate is a VPN/Zero Trust Connector that serves to replace the traditional VPN architecture. It would seem there aren’t any Zero Trust event sources (others being things like Perimeter81, Zscaler, etc). I think getting these added in would give a lot of organizations greatly improved visibility.

eavetisyan · March 21, 2023, 10:21am

It would be great to add Twingate:
For now, I am trying to ingest Twingate connections logs using Vector (from datadog) using a custom ingress authentication source.

john_hartman · March 21, 2023, 4:49pm

So we do actually have an event source for Zscaler LSS which is exactly like you described, a VPN alternative. So if we were to create a default integration for TwinGate, that is exactly where it would go, under the Ingress Authentication type.

There’s currently a decent amount of work on the plate for the IDR team so new integrations aren’t being prioritized among other items at the moment but I do suggest creating a support case as an IDEA or RFE. A lot of the integrations we build are essentially customer driven. So if there is heavy overlap between our customers and the customers use of TwinGate for example, that would certainly upgrade the priority of the project.

In the meantime though, as long as TwinGate has the ability to forward logs and has the proper info in their logs you could forward them into the Universal Ingress Authentication Type after doing some translation on the logs using something like NXLog. Rapid7 Universal Ingress Authentication | InsightIDR Documentation

eavetisyan · March 21, 2023, 8:25pm

I am dropping here Vector (vector.dev) .toml configuration on how to extract, remap and correlate and send Twingate connection logs to InsightIDR as Universal Ingress Authentication.
Tested and worked for me, can see the field in the Ingress Authentication logs tab.


# Set global options

data_dir = "/var/lib/vector"

[sources.syslog]

type = "file"

include = ["/var/log/syslog"]

ignore_checkpoints = true

read_from = "beginning"

[transforms.syslog_twingate]

type = "filter"

inputs = ["syslog"]

condition = 'contains(to_string(.message) ?? "", "ANALYTICS")'

[transforms.remap_fields]

type = "remap"

inputs = ["syslog_twingate"]

source = """

_parsed = parse_json!(parse_grok!(.message, "ANALYTICS%{SPACE}%{GREEDYDATA:json_event}").json_event)

.event_type = "INGRESS_AUTHENTICATION"

.version = "v1"

.time = format_timestamp!(.timestamp, "%FT%TZ")

.account = split!(_parsed.user.email, "@")[0]

.source_ip = _parsed.connection.client_ip

.authentication_result = "SUCCESS"

.authentication_target = _parsed.connection.resource_ip

"""

drop_on_abort = true

[transforms.remove_original_fields]

type = "remap"

inputs = ["remap_fields"]

source = """

del(.file)

del(.host)

del(.message)

del(.connector)

del(.device)

del(.relays)

del(.remote_network)

del(.timestamp)

del(.user)

del(.source_type)

"""

[sinks.socket]

type = "socket"

inputs = ["remove_original_fields"]

address = "CollectorIP:port"

mode = "udp"

encoding.codec = "json"

~~~~~~

john_hartman · March 22, 2023, 5:24pm

Thank you for this! I’m glad this works for you.