From 7b4fd2fd955f345464e259c8c1f98f00716371d9 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Tue, 8 Dec 2020 16:14:39 -0600 Subject: [PATCH 1/2] panos config option to set internal/external zones - default internal zone is "trust" - default external zone is "untrust" - allows for user to define zones for determining network.direction Relates #21674 --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/filebeat.reference.yml | 9 +++++++++ x-pack/filebeat/module/panw/_meta/config.yml | 9 +++++++++ x-pack/filebeat/module/panw/panos/config/input.yml | 14 ++++++++++++++ .../filebeat/module/panw/panos/ingest/pipeline.yml | 11 +++++------ x-pack/filebeat/module/panw/panos/manifest.yml | 6 ++++++ x-pack/filebeat/modules.d/panw.yml.disabled | 9 +++++++++ 7 files changed, 53 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c53e6a7ac9d..df1cc5bfd85 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -738,6 +738,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for UNIX datagram sockets in `unix` input. {issues}18632[18632] {pull}22699[22699] - Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320] - Add logic for external network.direction in sophos xg fileset {pull}22973[22973] +- Add configuration option to set external and internal networks for panw panos fileset {pull}XXXXX[XXXXX] *Heartbeat* diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index ffcf422494b..2715439d9da 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1507,6 +1507,15 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + # Set internal security zones. used to determine network.direction + # default "trust" + #var.internal_zones: + + # Set external security zones. used to determine network.direction + # default "untrust" + #var.external_zones: + + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs diff --git a/x-pack/filebeat/module/panw/_meta/config.yml b/x-pack/filebeat/module/panw/_meta/config.yml index 41c54c3700c..737825f598c 100644 --- a/x-pack/filebeat/module/panw/_meta/config.yml +++ b/x-pack/filebeat/module/panw/_meta/config.yml @@ -8,3 +8,12 @@ # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + # Set internal security zones. used to determine network.direction + # default "trust" + #var.internal_zones: + + # Set external security zones. used to determine network.direction + # default "untrust" + #var.external_zones: + diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 8ab5dfbf216..3d3f0be207f 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -173,6 +173,20 @@ processors: fields: - csv +{{ if .external_zones }} + - add_fields: + target: _temp_ + fields: + external_zones: {{ .external_zones | tojson }} +{{ end }} + +{{ if .internal_zones }} + - add_fields: + target: _temp_ + fields: + internal_zones: {{ .internal_zones | tojson }} +{{ end }} + - community_id: ~ - community_id: diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 8b2bd7e8324..bc936c92725 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -134,24 +134,23 @@ processors: - set: field: network.direction value: inbound - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)' - set: field: network.direction value: outbound - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)' - set: field: network.direction value: internal - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)' - set: field: network.direction value: external - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.external_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)' - set: field: network.direction value: unknown - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))' - + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ((!ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone)) || (!ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone)))' # Set network.direction from threat direction (Threat logs). - set: field: network.direction diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml index 36f901c2845..958a4ba7247 100644 --- a/x-pack/filebeat/module/panw/panos/manifest.yml +++ b/x-pack/filebeat/module/panw/panos/manifest.yml @@ -14,6 +14,12 @@ var: default: syslog - name: community_id default: true + - name: internal_zones + default: + - trust + - name: external_zones + default: + - untrust ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/modules.d/panw.yml.disabled b/x-pack/filebeat/modules.d/panw.yml.disabled index a16d9580ac1..0bd5bf33419 100644 --- a/x-pack/filebeat/modules.d/panw.yml.disabled +++ b/x-pack/filebeat/modules.d/panw.yml.disabled @@ -11,3 +11,12 @@ # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + # Set internal security zones. used to determine network.direction + # default "trust" + #var.internal_zones: + + # Set external security zones. used to determine network.direction + # default "untrust" + #var.external_zones: + From a2b82fb1556528196a7844420266024a95bcc005 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Tue, 8 Dec 2020 20:52:20 -0600 Subject: [PATCH 2/2] Fixes - changelog pr number - improve readability of network.direction if statements --- CHANGELOG.next.asciidoc | 2 +- .../module/panw/panos/ingest/pipeline.yml | 49 +++++++++++++++++-- 2 files changed, 45 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index df1cc5bfd85..47202176ba9 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -738,7 +738,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for UNIX datagram sockets in `unix` input. {issues}18632[18632] {pull}22699[22699] - Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320] - Add logic for external network.direction in sophos xg fileset {pull}22973[22973] -- Add configuration option to set external and internal networks for panw panos fileset {pull}XXXXX[XXXXX] +- Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998] *Heartbeat* diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index bc936c92725..3bf76a0c5c1 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -134,23 +134,62 @@ processors: - set: field: network.direction value: inbound - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - set: field: network.direction value: outbound - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: internal - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: external - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.external_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.external_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: unknown - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ((!ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone)) || (!ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone)))' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone) + ) + ) # Set network.direction from threat direction (Threat logs). - set: field: network.direction