[Filebeat] improve logic for network.direction in sophos xg fileset (#…

…22973) (#22989) * improve logic for network.direction in sophos xg fileset - "external" when traffic src and dst are in 'WAN' zone Relates #21674 * Update CHANGELOG.next.asciidoc Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit db4830b)
elastic · Dec 10, 2020 · 0e1ab12 · 0e1ab12
1 parent 9cfcb09
commit 0e1ab12
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -495,6 +495,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `event.category` "configuration" to o365 module events. {pull}23010[23010]
 - Add `event.category` "configuration" to zoom module events. {pull}23010[23010]
 - Add `network.direction` to auditd/log fileset. {pull}23041[23041]
+- Add logic for external network.direction in sophos xg fileset {pull}22973[22973]
 
 *Heartbeat*
 
@@ -641,4 +642,3 @@ port. {pull}19209[19209]
 
 
 
-
diff --git a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml
@@ -390,6 +390,10 @@ processors:
     field: network.direction
     value: internal
     if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)"
+- set:
+    field: network.direction
+    value: external
+    if: "ctx?.observer?.ingress?.zone == 'WAN' && ctx?.observer?.egress?.zone == 'WAN'"
 
 #########################
 ## ECS Related Mapping ##