Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Improve ECS field mappings in panw module #17910

Merged
merged 1 commit into from
Apr 23, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630]

*Filebeat*

- Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910]

*Heartbeat*

Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/panw/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions x-pack/filebeat/module/panw/panos/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -127,3 +127,7 @@
type: keyword
description: >
Palo Alto Networks name for the threat.
- name: action
type: keyword
description: >-
Action taken for the session.
4 changes: 2 additions & 2 deletions x-pack/filebeat/module/panw/panos/config/input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ processors:
destination.nat.port: 27
_temp_.labels: 28
network.transport: 29
event.outcome: 30
panw.panos.action: 30
network.bytes: 31
client.bytes: 32
destination.bytes: 32
Expand Down Expand Up @@ -123,7 +123,7 @@ processors:
destination.nat.port: 27
_temp_.labels: 28
network.transport: 29
event.outcome: 30
panw.panos.action: 30
panw.panos.threat.resource: 31
url.original: 31
panw.panos.threat.name: 32
Expand Down
100 changes: 89 additions & 11 deletions x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -175,34 +175,82 @@ processors:

# Set event.category depending on log type.
- set:
field: event.kind
value: event
if: 'ctx?._temp_?.message_type == "TRAFFIC"'
- append:
field: event.category
value: network_traffic
value:
- network_traffic
- network
if: 'ctx?._temp_?.message_type == "TRAFFIC"'
- set:
field: event.kind
value: alert
if: 'ctx?._temp_?.message_type == "THREAT"'
- append:
field: event.category
value: security_threat
value:
- security_threat
- intrusion_detection
- network
if: 'ctx?._temp_?.message_type == "THREAT"'

- drop:
if: 'ctx?.event?.category == null'
- append:
field: event.type
value: allowed
if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)"
- append:
field: event.type
value: denied
if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)"
- set:
field: event.outcome
value: success


# event.action for traffic logs.
- set:
field: event.action
value: flow_started
if: 'ctx?._temp_?.message_subtype == "start"'
- append:
field: event.type
value:
- start
- connection
if: 'ctx?._temp_?.message_subtype == "start"'
- set:
field: event.action
value: flow_terminated
if: 'ctx?._temp_?.message_subtype == "end"'
- append:
field: event.type
value:
- end
- connection
if: 'ctx?._temp_?.message_subtype == "end"'
- set:
field: event.action
value: flow_dropped
if: 'ctx?._temp_?.message_subtype == "drop"'
- append:
field: event.type
value:
- denied
- connection
if: 'ctx?._temp_?.message_subtype == "drop"'
- set:
field: event.action
value: flow_denied
if: 'ctx?._temp_?.message_subtype == "deny"'
- append:
field: event.type
value:
- denied
- connection
if: 'ctx?._temp_?.message_subtype == "deny"'

# event.action for threat logs.
- set:
Expand Down Expand Up @@ -276,21 +324,21 @@ processors:
# Normalize event.outcome.
# These values appear in the TRAFFIC docs but look like a mistake.
- set:
field: event.outcome
field: panw.panos.action
value: 'drop-icmp'
if: 'ctx?.event?.outcome == "drop icmp" || ctx?.event?.outcome == "drop ICMP"'
if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"'
- set:
field: event.outcome
field: panw.panos.action
value: 'reset-both'
if: 'ctx?.event?.outcome == "reset both"'
if: 'ctx?.panw?.panos?.action == "reset both"'
- set:
field: event.outcome
field: panw.panos.action
value: 'reset-client'
if: 'ctx?.event?.outcome == "reset client"'
if: 'ctx?.panw?.panos?.action == "reset client"'
- set:
field: event.outcome
field: panw.panos.action
value: 'reset-server'
if: 'ctx?.event?.outcome == "reset server"'
if: 'ctx?.panw?.panos?.action == "reset server"'

# Build related.ip array from src/dest/NAT IPs.
- append:
Expand Down Expand Up @@ -391,6 +439,36 @@ processors:
value: 'URL-filtering'
if: 'ctx?.panw?.panos?.threat?.id == "9999"'

- set:
field: rule.name
value: "{{panw.panos.ruleset}}"
if: "ctx?.panw?.panos?.ruleset != null"

- append:
field: related.user
value: "{{client.user.name}}"
if: "ctx?.client?.user?.name != null"

- append:
field: related.user
value: "{{source.user.name}}"
if: "ctx?.source?.user?.name != null"

- append:
field: related.user
value: "{{server.user.name}}"
if: "ctx?.server?.user?.name != null"

- append:
field: related.user
value: "{{destination.user.name}}"
if: "ctx?.destination?.user?.name != null"

- append:
field: related.hash
value: "{{panw.panos.file.hash}}"
if: "ctx?.panw?.panos?.file?.hash != null"

# Remove temporary fields.
- remove:
field:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,23 @@
"destination.packets": 1,
"destination.port": 80,
"event.action": "flow_started",
"event.category": "network_traffic",
"event.category": [
"network_traffic",
"network"
],
"event.dataset": "panw.panos",
"event.duration": 0,
"event.end": "2012-04-10T04:39:56.000-02:00",
"event.kind": "event",
"event.module": "panw",
"event.outcome": "allow",
"event.outcome": "success",
"event.start": "2012-04-10T04:39:56.000-02:00",
"event.timezone": "-02:00",
"event.type": [
"allowed",
"start",
"connection"
],
"fileset.name": "panos",
"input.type": "log",
"labels.captive_portal": true,
Expand All @@ -44,6 +53,7 @@
"network.transport": "tcp",
"network.type": "ipv4",
"observer.serial_number": "01606001116",
"panw.panos.action": "allow",
"panw.panos.destination.interface": "ethernet1/1",
"panw.panos.destination.nat.ip": "0.0.0.0",
"panw.panos.destination.nat.port": 0,
Expand All @@ -62,6 +72,11 @@
"0.0.0.0",
"0.0.0.0"
],
"related.user": [
"crusher",
"crusher"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wish the append processor would deduplicate like the AppendTo function in beats.

],
"rule.name": "rule1",
"server.bytes": 0,
"server.ip": "204.232.231.46",
"server.packets": 1,
Expand Down
Loading