add type & sub_type for all events

elastic · Sep 3, 2020 · 6fbfd5c · 6fbfd5c
1 parent 2199050
commit 6fbfd5c
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 41 deletions.
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -35,24 +35,23 @@ processors:
   - extract_array:
       field: csv
       overwrite_keys: true
+      omit_empty: true
       mappings:
         event.created: 1
         observer.serial_number: 2
-        _temp_.message_type: 3
-        _temp_.message_subtype: 4
+        panw.panos.type: 3
+        panw.panos.sub_type: 4
         _temp_.generated_time: 6
 
   - extract_array:
       when:
         equals:
-          _temp_.message_type: TRAFFIC
+          panw.panos.type: TRAFFIC
       field: csv
       overwrite_keys: true
       omit_empty: true
       fail_on_error: false
       mappings:
-        panw.panos.type: 3
-        panw.panos.sub_type: 4
         client.ip: 7
         source.ip: 7
         source.address: 7
@@ -109,14 +108,12 @@ processors:
   - extract_array:
       when:
        equals:
-          _temp_.message_type: THREAT
+          panw.panos.type: THREAT
       field: csv
       omit_empty: true
       overwrite_keys: true
       fail_on_error: false
       mappings:
-        panw.panos.type: 3
-        panw.panos.sub_type: 4
         client.ip: 7
         source.ip: 7
         source.address: 7

diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -134,72 +134,72 @@ processors:
  - set:
      field: network.direction
      value: inbound
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"'
  - set:
      field: network.direction
      value: outbound
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
  - set:
      field: network.direction
      value: internal
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"'
  - set:
      field: network.direction
      value: external
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
  - set:
      field: network.direction
      value: unknown
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))'
 
 # Set network.direction from threat direction (Threat logs).
  - set:
      field: network.direction
      value: inbound
-     if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
+     if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
 
  - set:
      field: network.direction
      value: outbound
-     if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
+     if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
 
  - set:
      field: network.direction
      value: unknown
-     if: 'ctx?._temp_?.message_type == "THREAT" && ctx?.network?.direction == null'
+     if: 'ctx?.panw?.panos?.type == "THREAT" && ctx?.network?.direction == null'
 
 # Set network.type for TRAFFIC.
  - set:
      field: network.type
      value: 'ipv4'
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
  - set:
      field: network.type
      value: 'ipv6'
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'
 
   # Set event.category depending on log type.
  - set:
      field: event.kind
      value: event
-     if: 'ctx?._temp_?.message_type == "TRAFFIC"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
  - append:
      field: event.category
      value:
        - network_traffic
        - network
-     if: 'ctx?._temp_?.message_type == "TRAFFIC"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
  - set:
      field: event.kind
      value: alert
-     if: 'ctx?._temp_?.message_type == "THREAT"'
+     if: 'ctx?.panw?.panos?.type == "THREAT"'
  - append:
      field: event.category
      value:
        - security_threat
        - intrusion_detection
        - network
-     if: 'ctx?._temp_?.message_type == "THREAT"'
+     if: 'ctx?.panw?.panos?.type == "THREAT"'
  - append:
      field: event.type
      value: allowed
@@ -217,89 +217,89 @@ processors:
  - set:
      field: event.action
      value: flow_started
-     if: 'ctx?._temp_?.message_subtype == "start"'
+     if: 'ctx?.panw?.panos?.sub_type == "start"'
  - append:
      field: event.type
      value:
        - start
        - connection
-     if: 'ctx?._temp_?.message_subtype == "start"'
+     if: 'ctx?.panw?.panos?.sub_type == "start"'
  - set:
      field: event.action
      value: flow_terminated
-     if: 'ctx?._temp_?.message_subtype == "end"'
+     if: 'ctx?.panw?.panos?.sub_type == "end"'
  - append:
      field: event.type
      value:
        - end
        - connection
-     if: 'ctx?._temp_?.message_subtype == "end"'
+     if: 'ctx?.panw?.panos?.sub_type == "end"'
  - set:
      field: event.action
      value: flow_dropped
-     if: 'ctx?._temp_?.message_subtype == "drop"'
+     if: 'ctx?.panw?.panos?.sub_type == "drop"'
  - append:
      field: event.type
      value:
        - denied
        - connection
-     if: 'ctx?._temp_?.message_subtype == "drop"'
+     if: 'ctx?.panw?.panos?.sub_type == "drop"'
  - set:
      field: event.action
      value: flow_denied
-     if: 'ctx?._temp_?.message_subtype == "deny"'
+     if: 'ctx?.panw?.panos?.sub_type == "deny"'
  - append:
      field: event.type
      value:
        - denied
        - connection
-     if: 'ctx?._temp_?.message_subtype == "deny"'
+     if: 'ctx?.panw?.panos?.sub_type == "deny"'
 
 # event.action for threat logs.
  - set:
      field: event.action
      value: data_match
-     if: 'ctx?._temp_?.message_subtype == "data"'
+     if: 'ctx?.panw?.panos?.sub_type == "data"'
  - set:
      field: event.action
      value: file_match
-     if: 'ctx?._temp_?.message_subtype == "file"'
+     if: 'ctx?.panw?.panos?.sub_type == "file"'
  - set:
      field: event.action
      value: flood_detected
-     if: 'ctx?._temp_?.message_subtype == "flood"'
+     if: 'ctx?.panw?.panos?.sub_type == "flood"'
  - set:
      field: event.action
      value: packet_attack
-     if: 'ctx?._temp_?.message_subtype == "packet"'
+     if: 'ctx?.panw?.panos?.sub_type == "packet"'
  - set:
      field: event.action
      value: scan_detected
-     if: 'ctx?._temp_?.message_subtype == "scan"'
+     if: 'ctx?.panw?.panos?.sub_type == "scan"'
  - set:
      field: event.action
      value: spyware_detected
-     if: 'ctx?._temp_?.message_subtype == "spyware"'
+     if: 'ctx?.panw?.panos?.sub_type == "spyware"'
  - set:
      field: event.action
      value: url_filtering
-     if: 'ctx?._temp_?.message_subtype == "url"'
+     if: 'ctx?.panw?.panos?.sub_type == "url"'
  - set:
      field: event.action
      value: virus_detected
-     if: 'ctx?._temp_?.message_subtype == "virus"'
+     if: 'ctx?.panw?.panos?.sub_type == "virus"'
  - set:
      field: event.action
      value: exploit_detected
-     if: 'ctx?._temp_?.message_subtype == "vulnerability"'
+     if: 'ctx?.panw?.panos?.sub_type == "vulnerability"'
  - set:
      field: event.action
      value: wildfire_verdict
-     if: 'ctx?._temp_?.message_subtype == "wildfire"'
+     if: 'ctx?.panw?.panos?.sub_type == "wildfire"'
  - set:
      field: event.action
      value: wildfire_virus_detected
-     if: 'ctx?._temp_?.message_subtype == "wildfire-virus"'
+     if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"'
 
 
 # Set numeric log.level from event.severity.