Pulse Connect Secure

Collect logs from Pulse Connect Secure with Elastic Agent.

Version
2.2.1 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Community

This integration is for Pulse Connect Secure.

Log

An example event for log looks as following:

{
    "@timestamp": "2021-10-19T09:10:35.000+02:00",
    "agent": {
        "ephemeral_id": "59d9a27c-2780-41a3-b336-00bff722f3ec",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "client": {
        "address": "89.160.20.156",
        "as": {
            "number": 29518,
            "organization": {
                "name": "Bredband2 AB"
            }
        },
        "geo": {
            "city_name": "Linköping",
            "continent_name": "Europe",
            "country_iso_code": "SE",
            "country_name": "Sweden",
            "location": {
                "lat": 58.4167,
                "lon": 15.6167
            },
            "region_iso_code": "SE-E",
            "region_name": "Östergötland County"
        },
        "ip": "89.160.20.156"
    },
    "data_stream": {
        "dataset": "pulse_connect_secure.log",
        "namespace": "47711",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "created": "2021-10-19T09:10:35.000+02:00",
        "dataset": "pulse_connect_secure.log",
        "ingested": "2024-06-12T03:21:05Z",
        "kind": "event",
        "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.",
        "outcome": "success",
        "timezone": "+02:00"
    },
    "host": {
        "hostname": "pcs-node1"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "172.19.0.5:42415"
        }
    },
    "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.",
    "observer": {
        "ip": [
            "10.5.2.3"
        ],
        "name": "pcs-node1",
        "product": "Pulse Secure Connect",
        "type": "vpn",
        "vendor": "Pulse Secure"
    },
    "pulse_secure": {
        "realm": "REALM",
        "role": "REALM_ROLES",
        "session": {
            "id": "sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75"
        }
    },
    "source": {
        "address": "89.160.20.156",
        "as": {
            "number": 29518,
            "organization": {
                "name": "Bredband2 AB"
            }
        },
        "geo": {
            "city_name": "Linköping",
            "continent_name": "Europe",
            "country_iso_code": "SE",
            "country_name": "Sweden",
            "location": {
                "lat": 58.4167,
                "lon": 15.6167
            },
            "region_iso_code": "SE-E",
            "region_name": "Östergötland County"
        },
        "ip": "89.160.20.156"
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "pulse_connect_secure-log"
    ],
    "user": {
        "name": "user.name"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723",
        "os": {
            "full": "Windows 10",
            "name": "Windows",
            "version": "10"
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset
constant_keyword
event.module
Event module
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.flags
Flags for the log file.
keyword
log.offset
Log offset
long
log.source.address
Source address from which the log event was read / sent from.
keyword
pulse_secure.realm
test
keyword
pulse_secure.role
test
keyword
pulse_secure.session.id
test
keyword
pulse_secure.session.id_short
keyword

Changelog

VersionDetailsKibana version(s)

2.2.1

Bug fix View pull request
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

2.2.0

Enhancement View pull request
Allow domain separators to include extra backslash characters.

8.13.0 or higher

2.1.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.0.1

Bug fix View pull request
Fix sample event.

7.16.0 or higher
8.0.0 or higher

2.0.0

Enhancement View pull request
Make event.category and event.type fields conform to ECS field definition.

7.16.0 or higher
8.0.0 or higher

1.19.1

Bug fix View pull request
Fix ingest pipeline warnings

7.16.0 or higher
8.0.0 or higher

1.19.0

Enhancement View pull request
Update manifest format version to v3.0.3.

7.16.0 or higher
8.0.0 or higher

1.18.3

Bug fix View pull request
Fix duplicate session field

7.16.0 or higher
8.0.0 or higher

1.18.2

Enhancement View pull request
Changed owners

7.16.0 or higher
8.0.0 or higher

1.18.1

Bug fix View pull request
Handle session token in vpn log

7.16.0 or higher
8.0.0 or higher

1.18.0

Enhancement View pull request
ECS version updated to 8.11.0.

7.16.0 or higher
8.0.0 or higher

1.17.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

7.16.0 or higher
8.0.0 or higher

1.16.0

Enhancement View pull request
Set 'community' owner type.

7.16.0 or higher
8.0.0 or higher

1.15.0

Enhancement View pull request
ECS version updated to 8.10.0.

7.16.0 or higher
8.0.0 or higher

1.14.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

7.16.0 or higher
8.0.0 or higher

1.13.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

7.16.0 or higher
8.0.0 or higher

1.12.0

Enhancement View pull request
Update package-spec to 2.9.0.

7.16.0 or higher
8.0.0 or higher

1.11.0

Enhancement View pull request
Update package to ECS 8.9.0.

7.16.0 or higher
8.0.0 or higher

1.10.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

7.16.0 or higher
8.0.0 or higher

1.9.0

Enhancement View pull request
Update package to ECS 8.8.0.

7.16.0 or higher
8.0.0 or higher

1.8.0

Enhancement View pull request
Allow user-defined TCP options.

7.16.0 or higher
8.0.0 or higher

1.7.0

Enhancement View pull request
Update package to ECS 8.7.0.

7.16.0 or higher
8.0.0 or higher

1.6.0

Enhancement View pull request
Handle user domain for SAML events.

7.16.0 or higher
8.0.0 or higher

1.5.1

Enhancement View pull request
Added categories and/or subcategories.

7.16.0 or higher
8.0.0 or higher

1.5.0

Enhancement View pull request
Update package to ECS 8.6.0.

7.16.0 or higher
8.0.0 or higher

1.4.0

Enhancement View pull request
Add udp_options to the UDP input.

7.16.0 or higher
8.0.0 or higher

1.3.1

Bug fix View pull request
Remove duplicate fields.

7.16.0 or higher
8.0.0 or higher

1.3.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.16.0 or higher
8.0.0 or higher

1.2.2

Enhancement View pull request
Use ECS geo.location definition.

7.16.0 or higher
8.0.0 or higher

1.2.1

Bug fix View pull request
Fix minor issues with grok patterns

7.16.0 or higher
8.0.0 or higher

1.2.0

Enhancement View pull request
Update package to ECS 8.4.0

7.16.0 or higher
8.0.0 or higher

1.1.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.16.0 or higher
8.0.0 or higher

1.0.1

Bug fix View pull request
Add mapping for event.create

7.16.0 or higher
8.0.0 or higher

1.0.0

Enhancement View pull request
Make GA

7.16.0 or higher
8.0.0 or higher

0.3.0

Enhancement View pull request
Update to ECS 8.2

0.2.1

Enhancement View pull request
Add documentation for multi-fields

0.2.0

Enhancement View pull request
Add support for parsing syslog priority values

0.1.0

Enhancement View pull request
Update to ECS 8.0

0.0.2

Bug fix View pull request
Regenerate test files using the new GeoIP database

0.0.1

Enhancement View pull request
initial release

On this page