[Filebeat] improve logic for network.direction in sophos xg fileset (e…

…lastic#22973) * improve logic for network.direction in sophos xg fileset - "external" when traffic src and dst are in 'WAN' zone Relates elastic#21674 * Update CHANGELOG.next.asciidoc Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit db4830b)
leehinman · Dec 9, 2020 · dbe003b · dbe003b
1 parent 5812c1b
commit dbe003b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -470,6 +470,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve panw ECS url fields mapping. {pull}22481[22481]
 - Improve Nats filebeat dashboard. {pull}22726[22726]
 - Add support for UNIX datagram sockets in `unix` input. {issues}18632[18632] {pull}22699[22699]
+- Add logic for external network.direction in sophos xg fileset {pull}22973[22973]
 
 *Heartbeat*
 
@@ -610,4 +611,3 @@ port. {pull}19209[19209]
 
 
 
-
diff --git a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml
@@ -390,6 +390,10 @@ processors:
     field: network.direction
     value: internal
     if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)"
+- set:
+    field: network.direction
+    value: external
+    if: "ctx?.observer?.ingress?.zone == 'WAN' && ctx?.observer?.egress?.zone == 'WAN'"
 
 #########################
 ## ECS Related Mapping ##