Skip to content

Commit

Permalink
[Filebeat] improve logic for network.direction in sophos xg fileset (#…
Browse files Browse the repository at this point in the history
…22973)

* improve logic for network.direction in sophos xg fileset

- "external" when traffic src and dst are in 'WAN' zone

Relates #21674

* Update CHANGELOG.next.asciidoc

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
  • Loading branch information
leehinman and andrewkroh authored Dec 8, 2020
1 parent c1410e5 commit db4830b
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
2 changes: 1 addition & 1 deletion CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -737,6 +737,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve Nats filebeat dashboard. {pull}22726[22726]
- Add support for UNIX datagram sockets in `unix` input. {issues}18632[18632] {pull}22699[22699]
- Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320]
- Add logic for external network.direction in sophos xg fileset {pull}22973[22973]

*Heartbeat*

Expand Down Expand Up @@ -922,4 +923,3 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d




4 changes: 4 additions & 0 deletions x-pack/filebeat/module/sophos/xg/ingest/firewall.yml
Original file line number Diff line number Diff line change
Expand Up @@ -390,6 +390,10 @@ processors:
field: network.direction
value: internal
if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)"
- set:
field: network.direction
value: external
if: "ctx?.observer?.ingress?.zone == 'WAN' && ctx?.observer?.egress?.zone == 'WAN'"

#########################
## ECS Related Mapping ##
Expand Down

0 comments on commit db4830b

Please sign in to comment.