Stormshield

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types	IOC search	Search	Table name	Log format	Collection method
Stormshield Alarm Logs	✅	✅	stormshield_alarm_logs	Key-value	S3
Stormshield System Logs	✅	✅	stormshield_system_logs	Key-value	S3
Stormshield Plugin Logs	✅	✅	stormshield_plugin_logs	Key-value	S3
Stormshield Server Logs	✅	✅	stormshield_connection_logs	Key-value	S3
Stormshield connection Logs	✅	✅	stormshield_server_logs	Key-value	S3

Overview

Stormshield offers a robust suite of cybersecurity solutions focused on network, endpoint, and data protection. Its flagship products include Stormshield Network Security (SNS), a range of next-generation firewalls with advanced threat prevention and certified compliance; Stormshield Endpoint Security (SES), which provides proactive, behavior-based protection against ransomware, zero-day threats, and insider attacks; and Stormshield Data Security (SDS), a powerful encryption solution for securing sensitive data across devices, cloud environments, and communications. These products work together to deliver an integrated, multilayered defense tailored for critical infrastructures, government agencies, and regulated industries.

Supported data types

Stormshield Alarm Logs

Overview

Table name: stormshield_alarm_logs

Stormshield Alarm Logs provide detailed records of security events detected by the system, such as intrusion attempts, policy violations, or abnormal traffic. These logs are essential for identifying and responding to threats in real time, offering clear visibility into potential risks and security breaches.

Send data to Hunters

Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.

To connect Stormshield logs:

Set up log routing via Syslog:
1. In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
2. Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
3. Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
4. Set log levels as needed (Alarm, Connection, System, etc.).

Receive and Process Logs using Fluentd:

Install Fluentd on a server (e.g., EC2 instance or on-prem box).

Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

Listens for Syslog messages
Parses them

Forwards them to Amazon S3

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag stormshield.logs
</source>

<filter stormshield.logs>
  @type record_transformer
  enable_ruby true
  <record>
    hostname ${record["host"]}
    message ${record["message"]}
    timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
  </record>
</filter>

<match stormshield.logs>
  @type s3
  aws_key_id YOUR_AWS_KEY
  aws_sec_key YOUR_AWS_SECRET
  s3_bucket your-s3-bucket
  s3_region your-region
  path logs/stormshield/
  buffer_path /var/log/td-agent/buffer/s3
  time_slice_format %Y/%m/%d/%H
  time_slice_wait 10m
  compress gzip
  format json
</match>

Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

{
  "Effect": "Allow",
  "Action": [
    "s3:PutObject",
    "s3:PutObjectAcl"
  ],
  "Resource": "arn:aws:s3:::your-s3-bucket/*"
}

Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd asqd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 15:41:03"""" pri=4 confid=01 srcif=""""Ethernet1"""" srcifname=""""lan"""" ipproto=tcp dstif=""""Ethernet0"""" dstifname=""""wan"""" proto=http src=10.218.11.76 srcport=62065 srcportname=ad2008-dyn_tcp srcname=H-ULVRS003 srcmac=00:09:0f:09:00:08 dst=95.100.133.156 dstport=80 dstportname=http dstname=a767.dspw65.akamai.net dstcontinent=""""eu"""" dstcountry=""""fr"""" ipv=4 action=block msg=""""Sonde de port"""" class=protocol classification=0 alarmid=63 target=dst logtype=""""alarm""""""";;

Stormshield System Logs

Overview

Table name: stormshield_system_logs

Stormshield System Logs capture the internal operations of the Stormshield appliance, including process activity, system errors, service restarts, and hardware status. These logs are crucial for system monitoring, troubleshooting, and ensuring the overall health and stability of the platform.

Send data to Hunters

Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.

To connect Stormshield logs:

Set up log routing via Syslog:
1. In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
2. Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
3. Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
4. Set log levels as needed (Alarm, Connection, System, etc.).

Receive and Process Logs using Fluentd:

Install Fluentd on a server (e.g., EC2 instance or on-prem box).

Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

Listens for Syslog messages
Parses them

Forwards them to Amazon S3

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag stormshield.logs
</source>

<filter stormshield.logs>
  @type record_transformer
  enable_ruby true
  <record>
    hostname ${record["host"]}
    message ${record["message"]}
    timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
  </record>
</filter>

<match stormshield.logs>
  @type s3
  aws_key_id YOUR_AWS_KEY
  aws_sec_key YOUR_AWS_SECRET
  s3_bucket your-s3-bucket
  s3_region your-region
  path logs/stormshield/
  buffer_path /var/log/td-agent/buffer/s3
  time_slice_format %Y/%m/%d/%H
  time_slice_wait 10m
  compress gzip
  format json
</match>

Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

{
  "Effect": "Allow",
  "Action": [
    "s3:PutObject",
    "s3:PutObjectAcl"
  ],
  "Resource": "arn:aws:s3:::your-s3-bucket/*"
}

Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd asqd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 15:41:04"""" pri=5 msg=""""Démarrage d'une intervention administrative (185.56.204.137)"""" user=""""smc"""" service=sysevent alarmid=104 logtype=""""system""""""";;

Stormshield Plugin Logs

Overview

Table name: stormshield_plugin_logs

Stormshield Plugin Logs contain diagnostic and operational information related to additional modules or extensions integrated into the Stormshield environment. These logs help administrators understand the behavior and performance of plugins, and are useful during debugging or when fine-tuning features.

Send data to Hunters

Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.

To connect Stormshield logs:

Set up log routing via Syslog:
1. In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
2. Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
3. Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
4. Set log levels as needed (Alarm, Connection, System, etc.).

Receive and Process Logs using Fluentd:

Install Fluentd on a server (e.g., EC2 instance or on-prem box).

Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

Listens for Syslog messages
Parses them

Forwards them to Amazon S3

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag stormshield.logs
</source>

<filter stormshield.logs>
  @type record_transformer
  enable_ruby true
  <record>
    hostname ${record["host"]}
    message ${record["message"]}
    timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
  </record>
</filter>

<match stormshield.logs>
  @type s3
  aws_key_id YOUR_AWS_KEY
  aws_sec_key YOUR_AWS_SECRET
  s3_bucket your-s3-bucket
  s3_region your-region
  path logs/stormshield/
  buffer_path /var/log/td-agent/buffer/s3
  time_slice_format %Y/%m/%d/%H
  time_slice_wait 10m
  compress gzip
  format json
</match>

Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

{
  "Effect": "Allow",
  "Action": [
    "s3:PutObject",
    "s3:PutObjectAcl"
  ],
  "Resource": "arn:aws:s3:::your-s3-bucket/*"
}

Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd asqd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 12:40:45"""" pri=5 confid=01 slotlevel=1 ruleid=12 rulename=""""89e0fb14"""" srcif=""""Ethernet2"""" srcifname=""""process"""" ipproto=tcp dstif=""""Ethernet4"""" dstifname=""""presseballe"""" proto=s7 src=192.168.10.250 srcport=60025 srcportname=ad2008-dyn_tcp srcname=srv_1 srcmac=30:d0:42:eb:1e:ac dst=192.168.2.30 dstport=102 dstportname=iso-tsap dstname=srv_presse1 modsrc=192.168.2.254 modsrcport=20002 origdst=192.168.2.30 origdstport=102 ipv=4 sent=24 rcvd=355 duration=0.00 action=pass op=4 error_class=0 error_code=0 logtype=""""plugin""""""";;

Stormshield Server Logs

Overview

Table name: stormshield_server_logs

Stormshield Server Logs refer to logs generated by backend services supporting the Stormshield infrastructure. These may include authentication servers, configuration services, or management consoles, and they are key for tracking access, configuration changes, and inter-component communication.

Send data to Hunters

Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.

To connect Stormshield logs:

Set up log routing via Syslog:
1. In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
2. Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
3. Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
4. Set log levels as needed (Alarm, Connection, System, etc.).

Receive and Process Logs using Fluentd:

Install Fluentd on a server (e.g., EC2 instance or on-prem box).

Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

Listens for Syslog messages
Parses them

Forwards them to Amazon S3

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag stormshield.logs
</source>

<filter stormshield.logs>
  @type record_transformer
  enable_ruby true
  <record>
    hostname ${record["host"]}
    message ${record["message"]}
    timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
  </record>
</filter>

<match stormshield.logs>
  @type s3
  aws_key_id YOUR_AWS_KEY
  aws_sec_key YOUR_AWS_SECRET
  s3_bucket your-s3-bucket
  s3_region your-region
  path logs/stormshield/
  buffer_path /var/log/td-agent/buffer/s3
  time_slice_format %Y/%m/%d/%H
  time_slice_wait 10m
  compress gzip
  format json
</match>

Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

{
  "Effect": "Allow",
  "Action": [
    "s3:PutObject",
    "s3:PutObjectAcl"
  ],
  "Resource": "arn:aws:s3:::your-s3-bucket/*"
}

Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd serverd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 15:41:04"""" error=1 user=""""smc"""" address=185.56.204.137 sessionid=256392 msg=""""QUIT"""" logtype=""""server""""""";;

Stormshield connection Logs

Overview

Table name: stormshield_connection_logs

Stormshield Connection Logs track all incoming and outgoing network sessions passing through the firewall, logging IP addresses, ports, protocols, and session states. These logs are fundamental for traffic analysis, auditing, and detecting suspicious or unauthorized connections.

Send data to Hunters

Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.

To connect Stormshield logs:

Set up log routing via Syslog:
1. In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
2. Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
3. Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
4. Set log levels as needed (Alarm, Connection, System, etc.).

Receive and Process Logs using Fluentd:

Install Fluentd on a server (e.g., EC2 instance or on-prem box).

Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

Listens for Syslog messages
Parses them

Forwards them to Amazon S3

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag stormshield.logs
</source>

<filter stormshield.logs>
  @type record_transformer
  enable_ruby true
  <record>
    hostname ${record["host"]}
    message ${record["message"]}
    timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
  </record>
</filter>

<match stormshield.logs>
  @type s3
  aws_key_id YOUR_AWS_KEY
  aws_sec_key YOUR_AWS_SECRET
  s3_bucket your-s3-bucket
  s3_region your-region
  path logs/stormshield/
  buffer_path /var/log/td-agent/buffer/s3
  time_slice_format %Y/%m/%d/%H
  time_slice_wait 10m
  compress gzip
  format json
</match>

Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

{
  "Effect": "Allow",
  "Action": [
    "s3:PutObject",
    "s3:PutObjectAcl"
  ],
  "Resource": "arn:aws:s3:::your-s3-bucket/*"
}

Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd asqd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 15:39:02"""" pri=5 confid=00 slotlevel=1 ruleid=3 rulename=""""606fddbf"""" srcif=""""ipsec"""" srcifname=""""ipsec"""" ipproto=udp dstif=""""vlan0"""" dstifname=""""admin_switch"""" proto=snmp src=10.218.62.18 srcport=38257 srcportname=ephemeral_fw_udp srcname=RVFRINF08708 dst=10.0.1.3 dstport=161 dstportname=snmp dstname=RVFRSW01002 modsrc=10.218.62.18 modsrcport=38257 origdst=10.0.1.3 origdstport=161 ipv=4 sent=337 rcvd=391 duration=0.06 action=pass logtype=""""connection""""""";;