Menlo Security
| Version | 1.5.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher 9.0.0 or higher |
| Supported Serverless project types What's this? |
Security |
| Subscription level What's this? |
Basic |
| Level of support What's this? |
Elastic |
Menlo Security’s isolation-centric approach splits web browsing and document retrieval between the user’s device and an isolated, Disposable Virtual Container (DVC) away from the endpoint. All risky code is executed in the isolated DVC and never reaches the endpoint. Only safe display data is sent to the user’s browser. User traffic is automatically sent to this infrastructure without any impact on the users themselves.
Menlo Security's cloud based Browser Security prevents phishing and malware attacks on any browser and any device across your hybrid enterprise.
Data Loss Prevention (also known as Data Leak Prevention) detects potential data breaches or data ex-filtration transmissions and prevents them by detecting and optionally blocking sensitive data passing through the Menlo Security platform.
This module has been tested against the Menlo Security API version 2.0
The Menlo Security integration collects data for the following two events:
| Event Type |
|---|
| Web |
| DLP |
To collect data through the REST API you will need your Menlo Security API URL and an API token.
The API token to collect logs must have the Log Export API permission
This is the Web dataset.
Example
{
"@timestamp": "2023-11-21T13:12:37.102Z",
"agent": {
"ephemeral_id": "22fb9f42-0c3b-4c46-9fae-06cd89923a5b",
"id": "9a98930c-439d-4a0b-81f0-f4228f8c523f",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
},
"client": {
"geo": {
"country_iso_code": "US"
},
"ip": "192.18.1.3"
},
"cloud": {
"region": "us-east-1c"
},
"data_stream": {
"dataset": "menlo.web",
"namespace": "ep",
"type": "logs"
},
"destination": {
"geo": {
"country_iso_code": "US"
},
"ip": "192.18.1.1"
},
"dns": {
"answers": {
"data": [
"192.18.1.1"
]
}
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "9a98930c-439d-4a0b-81f0-f4228f8c523f",
"snapshot": false,
"version": "8.12.2"
},
"event": {
"agent_id_status": "verified",
"category": [
"web",
"network",
"threat"
],
"dataset": "menlo.web",
"ingested": "2024-03-28T13:32:25Z",
"kind": "alert",
"outcome": "unknown",
"reason": "a77757d5-d3be-47ab-9394-cfff5887ade4"
},
"http": {
"request": {
"method": "GET"
},
"response": {
"status_code": 308
}
},
"input": {
"type": "cel"
},
"menlo": {
"web": {
"categories": "Business and Economy",
"content_type": "text/html; charset=UTF-8",
"has_password": false,
"is_iframe": "false",
"request_type": "page_request",
"risk_score": "low",
"tab_id": "1",
"tally": -1,
"ua_type": "supported_browser"
}
},
"network": {
"protocol": "http"
},
"observer": {
"geo": {
"country_iso_code": "US"
},
"ip": [
"192.18.1.2"
],
"product": "MSIP",
"vendor": "Menlo Security",
"version": "2.0"
},
"related": {
"ip": [
"192.18.1.3",
"192.18.1.1"
],
"user": [
"example_user"
]
},
"server": {
"geo": {
"country_iso_code": "US"
},
"ip": "192.18.1.1"
},
"source": {
"geo": {
"country_iso_code": "US"
},
"ip": "192.18.1.3"
},
"tags": [
"menlo",
"forwarded"
],
"url": {
"domain": "elastic.co",
"original": "http://elastic.co/",
"path": "/",
"registered_domain": "elastic.co",
"scheme": "http",
"top_level_domain": "co"
},
"user": {
"name": "example_user"
},
"user_agent": {
"device": {
"name": "Mac"
},
"name": "Chrome",
"original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",
"os": {
"full": "Mac OS X 10.15.7",
"name": "Mac OS X",
"version": "10.15.7"
},
"version": "119.0.0.0"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| menlo.web.cached | Indicates whether the resource was obtained from the isolated browser’s cache (True) or by downloading from the origin server (False) | boolean |
| menlo.web.casb_app_name | Cloud application name | keyword |
| menlo.web.casb_cat_name | Application category ID | keyword |
| menlo.web.casb_fun_name | Application function name | keyword |
| menlo.web.casb_org_name | Application organization name | keyword |
| menlo.web.casb_profile_id | Menlo CASB profile ID | keyword |
| menlo.web.casb_profile_name | Menlo CASB profile name attached to application or exception rule | keyword |
| menlo.web.casb_profile_type | Menlo CASB profile type (sanctioned/unsanctioned/unclassified) | keyword |
| menlo.web.casb_risk_score | Menlo risk score for application (0-10) | keyword |
| menlo.web.categories | Category Rules Category type classification | keyword |
| menlo.web.content_type | Page type | keyword |
| menlo.web.has_password | Presence of password in form POST request | boolean |
| menlo.web.is_iframe | Is inline frame (iframe) element | boolean |
| menlo.web.request_type | Request type | keyword |
| menlo.web.risk_score | Risk calculated for URL | keyword |
| menlo.web.sbox | Sandbox Inspection Result | keyword |
| menlo.web.sbox_mal_act | List of malicious activities found | keyword |
| menlo.web.soph | Full file scan result | keyword |
| menlo.web.tab_id | Tab creation number within a surrogate | keyword |
| menlo.web.tally | Count of risks encountered | long |
| menlo.web.threat_types | Top level risk | keyword |
| menlo.web.threats | Threat type identified by Menlo Security internal data | keyword |
| menlo.web.ua_type | The type of user agent | keyword |
| menlo.web.virus_details | Virus detail | keyword |
| menlo.web.xff_ip | X-Forwarded-For HTTP header field originating client IP address | keyword |
This is the DLP dataset.
Example
{
"@timestamp": "2024-03-28T13:30:21.204Z",
"agent": {
"ephemeral_id": "1054908a-63b4-46fd-8028-f975d0f878c2",
"id": "9a98930c-439d-4a0b-81f0-f4228f8c523f",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
},
"data_stream": {
"dataset": "menlo.dlp",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "9a98930c-439d-4a0b-81f0-f4228f8c523f",
"snapshot": false,
"version": "8.12.2"
},
"event": {
"action": "block",
"agent_id_status": "verified",
"category": [
"intrusion_detection",
"network"
],
"created": "2020-03-09T17:17:22.227Z",
"dataset": "menlo.dlp",
"id": "a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce",
"ingested": "2024-03-28T13:30:33Z",
"kind": "alert",
"outcome": "success",
"severity": 5
},
"file": {
"hash": {
"sha256": "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a"
},
"name": "more_credit_cards.csv"
},
"http": {
"request": {
"method": "GET"
}
},
"input": {
"type": "cel"
},
"menlo": {
"dlp": {
"alerted": "false",
"category": "Download Sites",
"ccl": {
"id": "CreditordebitcardnumbersGlobal",
"match_counts": 1,
"score": 1
},
"status": "dirty",
"stream_name": "/safefile-input/working_file",
"user_input": "false"
}
},
"observer": {
"product": "MSIP",
"vendor": "Menlo Security",
"version": "2.0"
},
"related": {
"hash": [
"fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a"
],
"user": [
"admin@menlosecurity.com"
]
},
"rule": {
"id": "1f3ef32c-ec62-42fb-8cad-e1fee3375099",
"name": "Credit card block rule"
},
"tags": [
"menlo",
"forwarded"
],
"url": {
"domain": "tinynewupload.com",
"original": "http://tinynewupload.com/",
"path": "/",
"registered_domain": "tinynewupload.com",
"scheme": "http",
"top_level_domain": "com"
},
"user": {
"name": "admin@menlosecurity.com"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| menlo.dlp.alerted | Whether or not an email alert was sent to a DLP Auditor profile | boolean |
| menlo.dlp.category | Category Rules Category type classification | keyword |
| menlo.dlp.ccl.id | Name of DLP dictionary that was violated | keyword |
| menlo.dlp.ccl.match_counts | Number of matches of the string that caused the violation | long |
| menlo.dlp.ccl.score | DLP score from the dictionary that caused the violation | long |
| menlo.dlp.status | Result from the DLP engine | keyword |
| menlo.dlp.stream_name | Internal name used for the file (usually working_file) or text stream (uid) | keyword |
| menlo.dlp.user_input | Whether or not this event was generated as a result of user form input | boolean |
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.5.0 | Enhancement (View pull request) Update Kibana constraint to support 9.0.0. |
8.13.0 or higher 9.0.0 or higher |
| 1.4.1 | Bug fix (View pull request) Updated SSL description in package manifest.yml to be uniform and to include links to documentation. |
8.13.0 or higher |
| 1.4.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind manually set to "pipeline_error". |
8.13.0 or higher |
| 1.3.0 | Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.2.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.1.1 | Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 1.1.0 | Enhancement (View pull request) Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.0.0 | Enhancement (View pull request) Release package as GA. |
8.13.0 or higher |
| 0.1.0 | Enhancement (View pull request) Initial draft of the package |
— |