Skip to content

Commit d14c6a1

Browse files
leehinmanleehinman
authored
[Filebeat] add panos type and sub_type (#20912)
* add panos type and sub_type - add panw.panos.type - add panw.panos.sub_type
1 parent bf3eace commit d14c6a1

11 files changed

Lines changed: 879 additions & 38 deletions

CHANGELOG.next.asciidoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -563,6 +563,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
563563
- Improve Santa module with `x509` ECS mappings {pull}20976[20976]
564564
- Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973]
565565
- Added new module for Zoom webhooks {pull}20414[20414]
566+
- Add type and sub_type to panw panos fileset {pull}20912[20912]
566567

567568
*Heartbeat*
568569

filebeat/docs/fields.asciidoc

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96109,6 +96109,20 @@ type: keyword
9610996109

9611096110
--
9611196111

96112+
*`panw.panos.type`*::
96113+
+
96114+
--
96115+
Specifies the type of the log
96116+
96117+
--
96118+
96119+
*`panw.panos.sub_type`*::
96120+
+
96121+
--
96122+
Specifies the sub type of the log
96123+
96124+
--
96125+
9611296126
[[exported-fields-postgresql]]
9611396127
== PostgreSQL fields
9611496128

x-pack/filebeat/module/panw/fields.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

x-pack/filebeat/module/panw/panos/_meta/fields.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,3 +136,9 @@
136136
type: keyword
137137
description: >-
138138
Action taken for the session.
139+
- name: type
140+
description: >-
141+
Specifies the type of the log
142+
- name: sub_type
143+
description: >-
144+
Specifies the sub type of the log

x-pack/filebeat/module/panw/panos/config/input.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,17 +35,18 @@ processors:
3535
- extract_array:
3636
field: csv
3737
overwrite_keys: true
38+
omit_empty: true
3839
mappings:
3940
event.created: 1
4041
observer.serial_number: 2
41-
_temp_.message_type: 3
42-
_temp_.message_subtype: 4
42+
panw.panos.type: 3
43+
panw.panos.sub_type: 4
4344
_temp_.generated_time: 6
4445

4546
- extract_array:
4647
when:
4748
equals:
48-
_temp_.message_type: TRAFFIC
49+
panw.panos.type: TRAFFIC
4950
field: csv
5051
overwrite_keys: true
5152
omit_empty: true
@@ -107,7 +108,7 @@ processors:
107108
- extract_array:
108109
when:
109110
equals:
110-
_temp_.message_type: THREAT
111+
panw.panos.type: THREAT
111112
field: csv
112113
omit_empty: true
113114
overwrite_keys: true

x-pack/filebeat/module/panw/panos/ingest/pipeline.yml

Lines changed: 33 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -134,72 +134,72 @@ processors:
134134
- set:
135135
field: network.direction
136136
value: inbound
137-
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"'
137+
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"'
138138
- set:
139139
field: network.direction
140140
value: outbound
141-
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
141+
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
142142
- set:
143143
field: network.direction
144144
value: internal
145-
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"'
145+
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"'
146146
- set:
147147
field: network.direction
148148
value: external
149-
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
149+
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
150150
- set:
151151
field: network.direction
152152
value: unknown
153-
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))'
153+
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))'
154154

155155
# Set network.direction from threat direction (Threat logs).
156156
- set:
157157
field: network.direction
158158
value: inbound
159-
if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
159+
if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
160160

161161
- set:
162162
field: network.direction
163163
value: outbound
164-
if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
164+
if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
165165

166166
- set:
167167
field: network.direction
168168
value: unknown
169-
if: 'ctx?._temp_?.message_type == "THREAT" && ctx?.network?.direction == null'
169+
if: 'ctx?.panw?.panos?.type == "THREAT" && ctx?.network?.direction == null'
170170

171171
# Set network.type for TRAFFIC.
172172
- set:
173173
field: network.type
174174
value: 'ipv4'
175-
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
175+
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
176176
- set:
177177
field: network.type
178178
value: 'ipv6'
179-
if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'
179+
if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'
180180

181181
# Set event.category depending on log type.
182182
- set:
183183
field: event.kind
184184
value: event
185-
if: 'ctx?._temp_?.message_type == "TRAFFIC"'
185+
if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
186186
- append:
187187
field: event.category
188188
value:
189189
- network_traffic
190190
- network
191-
if: 'ctx?._temp_?.message_type == "TRAFFIC"'
191+
if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
192192
- set:
193193
field: event.kind
194194
value: alert
195-
if: 'ctx?._temp_?.message_type == "THREAT"'
195+
if: 'ctx?.panw?.panos?.type == "THREAT"'
196196
- append:
197197
field: event.category
198198
value:
199199
- security_threat
200200
- intrusion_detection
201201
- network
202-
if: 'ctx?._temp_?.message_type == "THREAT"'
202+
if: 'ctx?.panw?.panos?.type == "THREAT"'
203203
- append:
204204
field: event.type
205205
value: allowed
@@ -217,89 +217,89 @@ processors:
217217
- set:
218218
field: event.action
219219
value: flow_started
220-
if: 'ctx?._temp_?.message_subtype == "start"'
220+
if: 'ctx?.panw?.panos?.sub_type == "start"'
221221
- append:
222222
field: event.type
223223
value:
224224
- start
225225
- connection
226-
if: 'ctx?._temp_?.message_subtype == "start"'
226+
if: 'ctx?.panw?.panos?.sub_type == "start"'
227227
- set:
228228
field: event.action
229229
value: flow_terminated
230-
if: 'ctx?._temp_?.message_subtype == "end"'
230+
if: 'ctx?.panw?.panos?.sub_type == "end"'
231231
- append:
232232
field: event.type
233233
value:
234234
- end
235235
- connection
236-
if: 'ctx?._temp_?.message_subtype == "end"'
236+
if: 'ctx?.panw?.panos?.sub_type == "end"'
237237
- set:
238238
field: event.action
239239
value: flow_dropped
240-
if: 'ctx?._temp_?.message_subtype == "drop"'
240+
if: 'ctx?.panw?.panos?.sub_type == "drop"'
241241
- append:
242242
field: event.type
243243
value:
244244
- denied
245245
- connection
246-
if: 'ctx?._temp_?.message_subtype == "drop"'
246+
if: 'ctx?.panw?.panos?.sub_type == "drop"'
247247
- set:
248248
field: event.action
249249
value: flow_denied
250-
if: 'ctx?._temp_?.message_subtype == "deny"'
250+
if: 'ctx?.panw?.panos?.sub_type == "deny"'
251251
- append:
252252
field: event.type
253253
value:
254254
- denied
255255
- connection
256-
if: 'ctx?._temp_?.message_subtype == "deny"'
256+
if: 'ctx?.panw?.panos?.sub_type == "deny"'
257257

258258
# event.action for threat logs.
259259
- set:
260260
field: event.action
261261
value: data_match
262-
if: 'ctx?._temp_?.message_subtype == "data"'
262+
if: 'ctx?.panw?.panos?.sub_type == "data"'
263263
- set:
264264
field: event.action
265265
value: file_match
266-
if: 'ctx?._temp_?.message_subtype == "file"'
266+
if: 'ctx?.panw?.panos?.sub_type == "file"'
267267
- set:
268268
field: event.action
269269
value: flood_detected
270-
if: 'ctx?._temp_?.message_subtype == "flood"'
270+
if: 'ctx?.panw?.panos?.sub_type == "flood"'
271271
- set:
272272
field: event.action
273273
value: packet_attack
274-
if: 'ctx?._temp_?.message_subtype == "packet"'
274+
if: 'ctx?.panw?.panos?.sub_type == "packet"'
275275
- set:
276276
field: event.action
277277
value: scan_detected
278-
if: 'ctx?._temp_?.message_subtype == "scan"'
278+
if: 'ctx?.panw?.panos?.sub_type == "scan"'
279279
- set:
280280
field: event.action
281281
value: spyware_detected
282-
if: 'ctx?._temp_?.message_subtype == "spyware"'
282+
if: 'ctx?.panw?.panos?.sub_type == "spyware"'
283283
- set:
284284
field: event.action
285285
value: url_filtering
286-
if: 'ctx?._temp_?.message_subtype == "url"'
286+
if: 'ctx?.panw?.panos?.sub_type == "url"'
287287
- set:
288288
field: event.action
289289
value: virus_detected
290-
if: 'ctx?._temp_?.message_subtype == "virus"'
290+
if: 'ctx?.panw?.panos?.sub_type == "virus"'
291291
- set:
292292
field: event.action
293293
value: exploit_detected
294-
if: 'ctx?._temp_?.message_subtype == "vulnerability"'
294+
if: 'ctx?.panw?.panos?.sub_type == "vulnerability"'
295295
- set:
296296
field: event.action
297297
value: wildfire_verdict
298-
if: 'ctx?._temp_?.message_subtype == "wildfire"'
298+
if: 'ctx?.panw?.panos?.sub_type == "wildfire"'
299299
- set:
300300
field: event.action
301301
value: wildfire_virus_detected
302-
if: 'ctx?._temp_?.message_subtype == "wildfire-virus"'
302+
if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"'
303303

304304

305305
# Set numeric log.level from event.severity.

0 commit comments

Comments
 (0)