Skip to content

Commit

Permalink
[Filebeat] add panos type and sub_type (elastic#20912)
Browse files Browse the repository at this point in the history
* add panos type and sub_type

- add panw.panos.type
- add panw.panos.sub_type
  • Loading branch information
leehinman authored Sep 15, 2020
1 parent bf3eace commit d14c6a1
Show file tree
Hide file tree
Showing 11 changed files with 879 additions and 38 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -563,6 +563,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve Santa module with `x509` ECS mappings {pull}20976[20976]
- Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973]
- Added new module for Zoom webhooks {pull}20414[20414]
- Add type and sub_type to panw panos fileset {pull}20912[20912]

*Heartbeat*

Expand Down
14 changes: 14 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -96109,6 +96109,20 @@ type: keyword

--

*`panw.panos.type`*::
+
--
Specifies the type of the log

--

*`panw.panos.sub_type`*::
+
--
Specifies the sub type of the log

--

[[exported-fields-postgresql]]
== PostgreSQL fields

Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/panw/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions x-pack/filebeat/module/panw/panos/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -136,3 +136,9 @@
type: keyword
description: >-
Action taken for the session.
- name: type
description: >-
Specifies the type of the log
- name: sub_type
description: >-
Specifies the sub type of the log
9 changes: 5 additions & 4 deletions x-pack/filebeat/module/panw/panos/config/input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,17 +35,18 @@ processors:
- extract_array:
field: csv
overwrite_keys: true
omit_empty: true
mappings:
event.created: 1
observer.serial_number: 2
_temp_.message_type: 3
_temp_.message_subtype: 4
panw.panos.type: 3
panw.panos.sub_type: 4
_temp_.generated_time: 6

- extract_array:
when:
equals:
_temp_.message_type: TRAFFIC
panw.panos.type: TRAFFIC
field: csv
overwrite_keys: true
omit_empty: true
Expand Down Expand Up @@ -107,7 +108,7 @@ processors:
- extract_array:
when:
equals:
_temp_.message_type: THREAT
panw.panos.type: THREAT
field: csv
omit_empty: true
overwrite_keys: true
Expand Down
66 changes: 33 additions & 33 deletions x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -134,72 +134,72 @@ processors:
- set:
field: network.direction
value: inbound
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"'
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"'
- set:
field: network.direction
value: outbound
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
- set:
field: network.direction
value: internal
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"'
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"'
- set:
field: network.direction
value: external
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
- set:
field: network.direction
value: unknown
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))'
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))'

# Set network.direction from threat direction (Threat logs).
- set:
field: network.direction
value: inbound
if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'

- set:
field: network.direction
value: outbound
if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'

- set:
field: network.direction
value: unknown
if: 'ctx?._temp_?.message_type == "THREAT" && ctx?.network?.direction == null'
if: 'ctx?.panw?.panos?.type == "THREAT" && ctx?.network?.direction == null'

# Set network.type for TRAFFIC.
- set:
field: network.type
value: 'ipv4'
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
- set:
field: network.type
value: 'ipv6'
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'

# Set event.category depending on log type.
- set:
field: event.kind
value: event
if: 'ctx?._temp_?.message_type == "TRAFFIC"'
if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
- append:
field: event.category
value:
- network_traffic
- network
if: 'ctx?._temp_?.message_type == "TRAFFIC"'
if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
- set:
field: event.kind
value: alert
if: 'ctx?._temp_?.message_type == "THREAT"'
if: 'ctx?.panw?.panos?.type == "THREAT"'
- append:
field: event.category
value:
- security_threat
- intrusion_detection
- network
if: 'ctx?._temp_?.message_type == "THREAT"'
if: 'ctx?.panw?.panos?.type == "THREAT"'
- append:
field: event.type
value: allowed
Expand All @@ -217,89 +217,89 @@ processors:
- set:
field: event.action
value: flow_started
if: 'ctx?._temp_?.message_subtype == "start"'
if: 'ctx?.panw?.panos?.sub_type == "start"'
- append:
field: event.type
value:
- start
- connection
if: 'ctx?._temp_?.message_subtype == "start"'
if: 'ctx?.panw?.panos?.sub_type == "start"'
- set:
field: event.action
value: flow_terminated
if: 'ctx?._temp_?.message_subtype == "end"'
if: 'ctx?.panw?.panos?.sub_type == "end"'
- append:
field: event.type
value:
- end
- connection
if: 'ctx?._temp_?.message_subtype == "end"'
if: 'ctx?.panw?.panos?.sub_type == "end"'
- set:
field: event.action
value: flow_dropped
if: 'ctx?._temp_?.message_subtype == "drop"'
if: 'ctx?.panw?.panos?.sub_type == "drop"'
- append:
field: event.type
value:
- denied
- connection
if: 'ctx?._temp_?.message_subtype == "drop"'
if: 'ctx?.panw?.panos?.sub_type == "drop"'
- set:
field: event.action
value: flow_denied
if: 'ctx?._temp_?.message_subtype == "deny"'
if: 'ctx?.panw?.panos?.sub_type == "deny"'
- append:
field: event.type
value:
- denied
- connection
if: 'ctx?._temp_?.message_subtype == "deny"'
if: 'ctx?.panw?.panos?.sub_type == "deny"'

# event.action for threat logs.
- set:
field: event.action
value: data_match
if: 'ctx?._temp_?.message_subtype == "data"'
if: 'ctx?.panw?.panos?.sub_type == "data"'
- set:
field: event.action
value: file_match
if: 'ctx?._temp_?.message_subtype == "file"'
if: 'ctx?.panw?.panos?.sub_type == "file"'
- set:
field: event.action
value: flood_detected
if: 'ctx?._temp_?.message_subtype == "flood"'
if: 'ctx?.panw?.panos?.sub_type == "flood"'
- set:
field: event.action
value: packet_attack
if: 'ctx?._temp_?.message_subtype == "packet"'
if: 'ctx?.panw?.panos?.sub_type == "packet"'
- set:
field: event.action
value: scan_detected
if: 'ctx?._temp_?.message_subtype == "scan"'
if: 'ctx?.panw?.panos?.sub_type == "scan"'
- set:
field: event.action
value: spyware_detected
if: 'ctx?._temp_?.message_subtype == "spyware"'
if: 'ctx?.panw?.panos?.sub_type == "spyware"'
- set:
field: event.action
value: url_filtering
if: 'ctx?._temp_?.message_subtype == "url"'
if: 'ctx?.panw?.panos?.sub_type == "url"'
- set:
field: event.action
value: virus_detected
if: 'ctx?._temp_?.message_subtype == "virus"'
if: 'ctx?.panw?.panos?.sub_type == "virus"'
- set:
field: event.action
value: exploit_detected
if: 'ctx?._temp_?.message_subtype == "vulnerability"'
if: 'ctx?.panw?.panos?.sub_type == "vulnerability"'
- set:
field: event.action
value: wildfire_verdict
if: 'ctx?._temp_?.message_subtype == "wildfire"'
if: 'ctx?.panw?.panos?.sub_type == "wildfire"'
- set:
field: event.action
value: wildfire_virus_detected
if: 'ctx?._temp_?.message_subtype == "wildfire-virus"'
if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"'


# Set numeric log.level from event.severity.
Expand Down
Loading

0 comments on commit d14c6a1

Please sign in to comment.