From 0e1ab1234631beb232beeeee1db6603b38d3df6f Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Thu, 10 Dec 2020 08:52:25 -0600 Subject: [PATCH] [Filebeat] improve logic for network.direction in sophos xg fileset (#22973) (#22989) * improve logic for network.direction in sophos xg fileset - "external" when traffic src and dst are in 'WAN' zone Relates #21674 * Update CHANGELOG.next.asciidoc Co-authored-by: Andrew Kroh Co-authored-by: Andrew Kroh (cherry picked from commit db4830b9853c06b505478efa20c4d38be0e08b2f) --- CHANGELOG.next.asciidoc | 2 +- x-pack/filebeat/module/sophos/xg/ingest/firewall.yml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1b0bd17c8db..22ab9bb7b0a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -495,6 +495,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add `event.category` "configuration" to o365 module events. {pull}23010[23010] - Add `event.category` "configuration" to zoom module events. {pull}23010[23010] - Add `network.direction` to auditd/log fileset. {pull}23041[23041] +- Add logic for external network.direction in sophos xg fileset {pull}22973[22973] *Heartbeat* @@ -641,4 +642,3 @@ port. {pull}19209[19209] - diff --git a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml index 193af05b836..a9ad2eb988c 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml @@ -390,6 +390,10 @@ processors: field: network.direction value: internal if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)" +- set: + field: network.direction + value: external + if: "ctx?.observer?.ingress?.zone == 'WAN' && ctx?.observer?.egress?.zone == 'WAN'" ######################### ## ECS Related Mapping ##