Axis Security

Overview

Axis Atmos Cloud securely connects any user to any business application or resource, via a centrally managed service.

The Axis audit logs contain various actions made by users, such as ZTNA logs, DNS Requests, SWG events, IPSEC Filtering, etc. Onboarding the logs into Hunters allows ingestion of the data, as well as levaraging the data in various detection and investigation use cases.

Supported data types

Axis Activity Logs

Table name: axis_activity_logs

The Axis audit logs contain various actions made by users, such as ZTNA logs, DNS Requests, SWG events, IPSEC Filtering, etc.

Send data to Hunters

Hunters supports the ingestion of Axis logs via an intermediary AWS S3 bucket.

To connect Axis logs:

1. Follow this guide by Axis to export the audit logs via a syslog integration, then to S3.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Auth log

Logs are expected in NDJSON format.

{"sessionId":"12345abcdeghij6789jhklm","eventId":"a123brt-2e03-44a8-99e5-9876dfghj","timestamp":"2023-10-20T15:15:48.098Z","applicationId":"34567jh-94a2-41ba-b0b9-rtyu8765","applicationName":"abcd-cdn-som.example.com","applicationProtocol":"Http","applicationAddress":"abcd.som.example.com:80","applicationType":"ManagementDefined","operationSystem":"Mac OS X","geoLocation":"LT","userId":"samlp|example-4c4554a3ce134c9e8e1ca07d88b204f7|user@example.com","username":"user@example.com","userDisplayName":"User","groups":["K-OKTA-APP_abcd"],"identityProviderId":"7caf92b6-52ab-4939-a5a9-9b707603cb81","isBlocked":false,"ruleId":"0d502f27-bab2-4e50-82f3-5558aa0770e5","ruleName":"web_abcd-cdn-example.com","eventType":"Connect","eventDescription":"TCP connection established","additionalData":{"actualApplicationAddress":"abcdcdn.som.example.com:80"},"sourceIp":"111.222.333.44","tenantName":"example","time":"2023-10-20T15:15:48.098Z","tenantId":"234fg6-ecea-4b18-9081-12345sdfg"}