Sonicwall firewall SIEM

Hi there,
I have already connected my Sonicwall firewall to Elastic Cloud (I'm in the trial). I can see the logs in Kibana, but Elastic Security SIEM doesn't recognize the Firewall as a host, so I it doesn't get the logs inside the security app.
Here is a log seen from Kibana, I think the ECS format is correct.
Any ideas?

Make sur your index pattern in included in SIEM default indexes

Yes, I knew about that and I think I have it in the correct way:
apm--transaction, auditbeat-, endgame-, filebeat-, logs-, packetbeat-, winlogbeat-
As the Sonicwall log comes from Filebeat, with the "filebeat-*" should be enought. Isn't it?

That should work, except if you are using differents spaces in Kibana

As you can see, Filebeat is not getting logs from Sonicwall to the Security app, maybe there is some way to activate the Sonicwall module in order that sends the logs also here...

Did you used filebeat module ?
As per the first screenshot logs are already shiped to elasticsearch in ECS format with filebeat

You logs are already in the SIEM

The UI is static and show only 5 popular modules

Yes. But as you can see here it doesn't get the info in the right way. Here there is a failed login attemp log, and Elastic doesn't understand it as it should.

I see your point, filebeat module is not dessecting the field "event.original"
As the module is still not GA, you may need to add an ingest pipleline to parse correctly the field "event.original" into ECS schema

Yep. I don't really know how to do that.
It's a bit awkward that a brand like Sonicwall is not supported by default in the correct way...

Can you share the whole document in JSON format?

You mean a JSON from a log?

  "_index": "filebeat-7.9.1-2020.09.09-000001",
  "_type": "_doc",
  "_id": "OKKVAnUBaCqgQQ66e0OD",
  "_version": 1,
  "_score": null,
  "_source": {
    "rsa": {
      "internal": {
        "messageid": "745"
      "time": {
        "event_time": "2020-10-07T10:22:31.000Z"
    "agent": {
      "hostname": "siem",
      "name": "siem",
      "id": "9b49d7b1-c42e-45d2-8316-6265a15f3edf",
      "type": "filebeat",
      "ephemeral_id": "25f87cfd-17d3-4a8e-a438-c6187df89f6f",
      "version": "7.9.1"
    "log": {
      "source": {
        "address": "XXXXX:514"
      "syslog": {
        "severity": {
          "code": 6
        "priority": 110,
        "facility": {
          "code": 13
    "fileset": {
      "name": "firewall"
    "tags": [
    "observer": {
      "product": "Firewalls",
      "vendor": "Sonicwall",
      "type": "Firewall"
    "input": {
      "type": "udp"
    "@timestamp": "2020-10-07T10:22:31.000Z",
    "ecs": {
      "version": "1.5.0"
    "service": {
      "type": "sonicwall"
    "event": {
      "code": "745",
      "original": "<110>  id=firewall sn=XXXXX time=\"2020-10-07 10:22:31 UTC\" fw=XXXXX pri=6 c=16 m=745 msg=\"User login denied - LDAP authentication failure\" sess=\"Web\" n=10209 usr=\"admin\" src=XXXXX:63880:X1 dst=XXXXX:443:X1 proto=tcp/https note=\"admin\" fw_action=\"NA\"",
      "module": "sonicwall",
      "dataset": "sonicwall.firewall"
  "fields": {
    "rsa.time.event_time": [
    "@timestamp": [
    "suricata.eve.timestamp": [
  "highlight": {
    "event.code": [
  "sort": [

I also have the same issue, is there any way to resolve this issue?

We are currently working on an improved integration for Sonicwall firewalls that will solve these kind of issues.