-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OCSF rule and template for paloalto network traffic logs #5087
Conversation
Signed-off-by: Krishna Kondaka <krishkdk@dev-dsk-krishkdk-2c-bd29c437.us-west-2.amazon.com>
@@ -0,0 +1,6 @@ | |||
plugin_name: "ocsf-panw-traffic" | |||
apply_when: | |||
- "$..processor[?(@.ocsf.type == 'PALOALTO_NETWORKS_TRAFFIC_LOGS')]" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PALO_ALTO_NETWORK_TRAFFIC_LOGS. Please modify to this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we create file name as ocsf-v1.1-panw-traffic-rule.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rename file as ocsf-v1.1-panw-traffic-template.yaml
@@ -0,0 +1,6 @@ | |||
plugin_name: "ocsf-panw-traffic" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Plese change plugin_name as "ocsf-v1.1-panw-traffic"
Signed-off-by: Krishna Kondaka <krishkdk@dev-dsk-krishkdk-2c-bd29c437.us-west-2.amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @kkondaka
include 'data-prepper-plugins:opensearch-api-source' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you mean to add this back?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a new file. Just creating basic build.gradle so that it can be used in future.
@@ -0,0 +1,673 @@ | |||
"<<pipeline-name>>": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the current transformation code support sub-directories? If so, we should probably look at a structure that we can expand over time.
Also, I think we should consider dropping the rules/
and transforms/
directories in favor of either a suffix or some other data.
transforms/ocsf-v1.1/panw-traffic-rule.yaml
transforms/ocsf-v1.1/panw-traffic-template.yaml
If you are working on a transformation, you should be able to modify two files that sit next to each other. Having to work with files in completely different directory structures will become cumbersome as the number of transformations grows.
We can address these items later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will check with Srikanth and see if sub-directories are supported.
@@ -0,0 +1,6 @@ | |||
|
|||
dependencies { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we even need this dependency?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't need a build.gradle. But since I am adding a new sub directory, I thought it's good to have a simple file to start with. It may be expanded as needed in future.
- from_key: Action | ||
to_key: unmapped/Action | ||
overwrite_if_to_key_exists: true | ||
- convert_type: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be good to change these to:
convert_type:
keys: [status_id, action_id, type_uid, ...]
type: integer
But, we can address this later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. I took the yaml config given by security lake engineer as is. We have identified some changes that can be done. We can do that in a separate PR.
Description
Add OCSF rule and template to match and transform PaloAlto networks traffic logs
Issues Resolved
Resolves #[Issue number to be closed when this PR is merged]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.