Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OCSF rule and template for paloalto network traffic logs #5087

Merged
merged 2 commits into from
Oct 22, 2024

Conversation

kkondaka
Copy link
Collaborator

@kkondaka kkondaka commented Oct 19, 2024

Description

Add OCSF rule and template to match and transform PaloAlto networks traffic logs

Issues Resolved

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has a documentation issue. Please link to it in this PR.
    • New functionality has javadoc added
  • [X ] Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Krishna Kondaka <krishkdk@dev-dsk-krishkdk-2c-bd29c437.us-west-2.amazon.com>
@@ -0,0 +1,6 @@
plugin_name: "ocsf-panw-traffic"
apply_when:
- "$..processor[?(@.ocsf.type == 'PALOALTO_NETWORKS_TRAFFIC_LOGS')]"
Copy link

@sharraj sharraj Oct 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PALO_ALTO_NETWORK_TRAFFIC_LOGS. Please modify to this.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we create file name as ocsf-v1.1-panw-traffic-rule.yaml

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename file as ocsf-v1.1-panw-traffic-template.yaml

@@ -0,0 +1,6 @@
plugin_name: "ocsf-panw-traffic"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Plese change plugin_name as "ocsf-v1.1-panw-traffic"

Signed-off-by: Krishna Kondaka <krishkdk@dev-dsk-krishkdk-2c-bd29c437.us-west-2.amazon.com>
Copy link
Member

@sb2k16 sb2k16 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kkondaka

include 'data-prepper-plugins:opensearch-api-source'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to add this back?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a new file. Just creating basic build.gradle so that it can be used in future.

@@ -0,0 +1,673 @@
"<<pipeline-name>>":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the current transformation code support sub-directories? If so, we should probably look at a structure that we can expand over time.

Also, I think we should consider dropping the rules/ and transforms/ directories in favor of either a suffix or some other data.

transforms/ocsf-v1.1/panw-traffic-rule.yaml
transforms/ocsf-v1.1/panw-traffic-template.yaml

If you are working on a transformation, you should be able to modify two files that sit next to each other. Having to work with files in completely different directory structures will become cumbersome as the number of transformations grows.

We can address these items later.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will check with Srikanth and see if sub-directories are supported.

@@ -0,0 +1,6 @@

dependencies {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we even need this dependency?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't need a build.gradle. But since I am adding a new sub directory, I thought it's good to have a simple file to start with. It may be expanded as needed in future.

- from_key: Action
to_key: unmapped/Action
overwrite_if_to_key_exists: true
- convert_type:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be good to change these to:

convert_type:
  keys: [status_id, action_id, type_uid, ...]
  type: integer

But, we can address this later.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. I took the yaml config given by security lake engineer as is. We have identified some changes that can be done. We can do that in a separate PR.

@kkondaka kkondaka merged commit 5bfcac8 into opensearch-project:main Oct 22, 2024
73 of 74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants