Sync changes to Juniper SRX

Convert event.risk values to float Protect against missing event.timezone Convert event.severity to long. elastic/integrations#443
andrewkroh · Jan 12, 2021 · 838c4b1 · 838c4b1
1 parent 84a7abe
commit 838c4b1
Show file tree

Hide file tree

Showing 9 changed files with 87 additions and 82 deletions.
diff --git a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml
@@ -13,11 +13,12 @@ processors:
 - append:
     field: event.category
     value: network
-- rename:
+- convert:
     field: juniper.srx.application_risk
+    type: float
     target_field: event.risk_score
     ignore_missing: true
-    if: "ctx.juniper?.srx?.application_risk != null"
+    ignore_failure: true
 - append:
     field: event.type
     value:
@@ -344,6 +345,7 @@ processors:
 #############
 - remove:
     field:
+    - juniper.srx.application_risk
     - juniper.srx.destination_port
     - juniper.srx.nat_destination_port
     - juniper.srx.bytes_from_client

diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml
@@ -27,7 +27,7 @@ processors:
 # Parse the date
 #
 - date:
-    if: "ctx.event.timezone == null"
+    if: "ctx?.event?.timezone == null"
     field: _temp_.raw_date
     target_field: "@timestamp"
     formats:
@@ -36,7 +36,7 @@ processors:
     - yyyy-MM-dd HH:mm:ss Z
     - ISO8601
 - date:
-    if: "ctx.event.timezone != null"
+    if: "ctx?.event?.timezone != null"
     timezone: "{{ event.timezone }}"
     field: _temp_.raw_date
     target_field: "@timestamp"
@@ -55,7 +55,7 @@ processors:
 - rename:
     field: juniper.srx.elapsed_time
     target_field: juniper.srx.duration
-    if: "ctx.juniper?.srx?.elapsed_time != null"
+    if: "ctx?.juniper?.srx?.elapsed_time != null"
 
 # Sets starts, end and duration when start and duration is known
 - script:
@@ -88,9 +88,11 @@ processors:
 - set:
     field: event.dataset
     value: juniper.srx
-- set:
-    field: event.severity
-    value: '{{syslog_pri}}'
+- convert:
+    field: syslog_pri
+    type: long
+    target_field: event.severity
+    ignore_failure: true
 - rename:
     field: log.original
     target_field: event.original
@@ -197,8 +199,7 @@ processors:
 - remove:
     field:
         - message
-        - _temp_
-        - _temp
+        - _temp_.raw_date
         - juniper.srx.duration
         - juniper.srx.dir_disp
         - juniper.srx.srczone

diff --git a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml
@@ -13,11 +13,12 @@ processors:
 - append:
     field: event.category
     value: network
-- rename:
+- convert:
     field: juniper.srx.urlcategory_risk
+    type: float
     target_field: event.risk_score
     ignore_missing: true
-    if: "ctx.juniper?.srx?.urlcategory_risk != null"
+    ignore_failure: true
 - set:
     field: event.kind
     value: alert
@@ -380,6 +381,7 @@ processors:
     - juniper.srx.nat_source_port
     - juniper.srx.bytes_from_server
     - juniper.srx.packets_from_server
+    - juniper.srx.urlcategory_risk
     ignore_missing: true
 
 on_failure:

diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json
@@ -25,7 +25,7 @@
         "event.module": "juniper",
         "event.original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=\u201dcloud/blacklist/whitelist\u201d source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"",
         "event.outcome": "success",
-        "event.severity": "14",
+        "event.severity": 14,
         "event.timezone": "-02:00",
         "event.type": [
             "info",
@@ -82,7 +82,7 @@
         "event.module": "juniper",
         "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"",
         "event.outcome": "success",
-        "event.severity": "14",
+        "event.severity": 14,
         "event.timezone": "-02:00",
         "event.type": [
             "info",
@@ -130,7 +130,7 @@
         "event.module": "juniper",
         "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"",
         "event.outcome": "success",
-        "event.severity": "11",
+        "event.severity": 11,
         "event.timezone": "-02:00",
         "event.type": [
             "allowed",
@@ -182,7 +182,7 @@
         "event.module": "juniper",
         "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"",
         "event.outcome": "success",
-        "event.severity": "165",
+        "event.severity": 165,
         "event.timezone": "-02:00",
         "event.type": [
             "allowed",