diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b5d8d8b4cf7..b0d6c81009c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -578,6 +578,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - New module `zookeeper` for Zookeeper service and audit logs {issue}25061[25061] {pull}25128[25128] - Add parsing for `haproxy.http.request.raw_request_line` field {issue}25480[25480] {pull}25482[25482] - Mark `filestream` input beta. {pull}25560[25560] +- Update PanOS module to parse Global Protect & User ID logs. {issue}24722[24722] {issue}24724[24724] {pull}24927[24927] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index ba7b8d47d4a..c37f66e926b 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -107511,6 +107511,279 @@ Specifies the sub type of the log Virtual system instance +type: keyword + +-- + +*`panw.panos.client_os_ver`*:: ++ +-- +The client device’s OS version. + + +type: keyword + +-- + +*`panw.panos.client_os`*:: ++ +-- +The client device’s OS version. + + +type: keyword + +-- + +*`panw.panos.client_ver`*:: ++ +-- +The client’s GlobalProtect app version. + + +type: keyword + +-- + +*`panw.panos.stage`*:: ++ +-- +A string showing the stage of the connection + + +type: keyword + +example: before-login + +-- + +*`panw.panos.actionflags`*:: ++ +-- +A bit field indicating if the log was forwarded to Panorama. + + +type: keyword + +-- + +*`panw.panos.error`*:: ++ +-- +A string showing that error that has occurred in any event. + + +type: keyword + +-- + +*`panw.panos.error_code`*:: ++ +-- +An integer associated with any errors that occurred. + + +type: integer + +-- + +*`panw.panos.repeatcnt`*:: ++ +-- +The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred. + + +type: integer + +-- + +*`panw.panos.serial_number`*:: ++ +-- +The serial number of the user’s machine or device. + + +type: keyword + +-- + +*`panw.panos.auth_method`*:: ++ +-- +A string showing the authentication type + + +type: keyword + +example: LDAP + +-- + +*`panw.panos.datasource`*:: ++ +-- +Source from which mapping information is collected. + + +type: keyword + +-- + +*`panw.panos.datasourcetype`*:: ++ +-- +Mechanism used to identify the IP/User mappings within a data source. + + +type: keyword + +-- + +*`panw.panos.datasourcename`*:: ++ +-- +User-ID source that sends the IP (Port)-User Mapping. + + +type: keyword + +-- + +*`panw.panos.factorno`*:: ++ +-- +Indicates the use of primary authentication (1) or additional factors (2, 3). + + +type: integer + +-- + +*`panw.panos.factortype`*:: ++ +-- +Vendor used to authenticate a user when Multi Factor authentication is present. + + +type: keyword + +-- + +*`panw.panos.factorcompletiontime`*:: ++ +-- +Time the authentication was completed. + + +type: date + +-- + +*`panw.panos.ugflags`*:: ++ +-- +Displays whether the user group that was found during user group mapping. Supported values are: +User Group Found—Indicates whether the user could be mapped to a group. +Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found. + + +type: keyword + +-- + +[float] +=== device_group_hierarchy + +A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + + +*`panw.panos.device_group_hierarchy.level_1`*:: ++ +-- +A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + +type: keyword + +-- + +*`panw.panos.device_group_hierarchy.level_2`*:: ++ +-- +A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + +type: keyword + +-- + +*`panw.panos.device_group_hierarchy.level_3`*:: ++ +-- +A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + +type: keyword + +-- + +*`panw.panos.device_group_hierarchy.level_4`*:: ++ +-- +A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + +type: keyword + +-- + +*`panw.panos.timeout`*:: ++ +-- +Timeout after which the IP/User Mappings are cleared. + + +type: integer + +-- + +*`panw.panos.vsys_id`*:: ++ +-- +A unique identifier for a virtual system on a Palo Alto Networks firewall. + + +type: keyword + +-- + +*`panw.panos.vsys_name`*:: ++ +-- +The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. + + +type: keyword + +-- + +*`panw.panos.description`*:: ++ +-- +Additional information for any event that has occurred. + + +type: keyword + +-- + +*`panw.panos.tunnel_type`*:: ++ +-- +The type of tunnel (either SSLVPN or IPSec). + + type: keyword -- diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go index 1990a4b7403..ad5e151b5d6 100644 --- a/x-pack/filebeat/module/panw/fields.go +++ b/x-pack/filebeat/module/panw/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPanw returns asset data. // This is the base64 encoded gzipped contents of module/panw. func AssetPanw() string { - return "eJzMmM9u4zYQxu95irm5BeLcesmhQNpFgABpamw27TGgqZHEmiK1w2Fc7dMvSEu21qYsxc4G0c2Sye83fz6S0hxW2FxDLcz6AoAVa9z+ytBJUjUra67h9wsAgL9s5jVCbgkWQlu40WzhAXltaeXgl8XNw/zvx18vAHKFOnPXcdAcjKh204aLmxqvoSDr6/ZOQixct3EeyMlWwCXGOaCKFFftn/pSsKdn3e52SvWY9A/6lqJ8IuhNzKBt4a76Yw+wemTkNTrkH6VavBU2a0vZ3rNjjADwICoEm0fGMDlwKRgqwbLEDLhUDhw6p6y5SgI560likucgXeM0bdLYAv7PaLKIxbaea3xB3YqBXf6Hkq/2RqfS1if9Zs0+51juJhCH63GDFQTaeg9lrc+jDCPl4iB5bwu1VXkFmRH7DQZHizqRaGEdzx9uvnRlFFlG6NwlqLy7FZ4qBzVSbqnC7JBxuM69zKYAuwAGHk7gP4zgbpEC3K4illJ57EC0NcXboQSxHUzSqhk6VkaEed/Jrz3FD2faTz22j+XcPtlHtG+/qn0P9++fZ+RRK4+YeaKHBmJKu3qCr0edfR7XBIujyQiFGzD4SQeEL+FgEOcE0fUeMFIVsPqFTQKZzWHnndabVu3EtaaWon5WKdO+gakXQq6QQYqaPSHcfYqGFsAloRgqK5zp6ikOk7aqvFHcpEOfEv7EFITrz04tZkDb9bwUrtyekkPL/zZnX+8O6QONlSv9XqfOIHViS4XgTuuXP5QR1MA2O12nbGgcGg68SwRhhG6+YbouyybG8q/S2a2iMI5elMTU+pYucjL3nvQ7pd6TPjHzUjAWlpqf4+bb2K+xHk+f78P2xzMX2Z8+32+109tIGNsV5DKOeUHKlGQIC2uJmwoLk4FyyQlQcYkEs0poJZX1bnYJs4JEsxaEs0uwBLMlGlWY2ZiJtF0f2v6MzeIuHFeM0GB8haQkqAwNq1whxS5GIcvDA0z6xRK/ejQSn42vlkhJxsRGOwJ4bwtAw9T0yeIrr3KgjCSs0DBmrTwroXWijk9GffW4C0nbIiKNxNQu9oRH3ppPynvoOkubzglSUzaXPai3bIPEx469Rog2fwVd+PFT+bZZS5H1gYQcfIGawjI/gLmJEwKLFZotwdFvLkHtlSKPNcqQ/c0iFSboPvpoW6T955fPZws5vxwUS6q+KGIv9LNr9te+M8r9z2ZScI1jrEAZx8JIvPgeAAD//2MhKUk=" + return "eJzsWs1uIzcSvs9T1M02YDmZyeTiBRbQruHAgO0IcWb2KJTYJTXXbLJDsq0o2EMeYi/7enmSRZHdrbZEqWVJ40wA62JLarK+qvrqh0UN4JEWl1Cinr8D8NIrat9l5ISVpZdGX8Lf3wEA3JmsUgRTY2GEysBQeQP35OfGPjo4HQ3vBz8+nL0DmEpSmbsMiwagsVhuyy+/KOkSZtZUZf1JQhi/rsM+MLWmAJ9T2AOKgOKifqgrClbkGbf8OCV1m+hn8o0N4hNKR51BmZm76K5dg9VBZitFjvxzUTW8R1rMjc1WvtuGEQDusSAw04CRNwefo4cCvcgpA59LB46ck0ZfJAE5U1lBSTxr5upHUxvNG6BfPekswPKmHCh6IlULAzP5Nwl/sbI6ZbYu0t+MXsXZZ7sdEPPrIcJiAbW/N1mti0dqT3aKa8Y7LqhWyguQaVwlGGx16o6IRsb5wf3w58aNmGWWnDsHOW0+4m+lg5Ls1NiCsnWMm/3csWwKYKPAhi93wL+uwc0oBbDNIsam7NgAUUbPjgeFhS3BJEM1I+elRt73leK1I/GrC9qrDravK3K7yL7G8O16tRvD3c8PC+TeUO4J5h1jaINO6ajeIa57I/swXDuEOOnMEroNAb5Xg/AzNwZhT8CGe+DJFgyr69gkIB2bnVfKN7W0PXNNKbAcy1TQHiGoRygeyYPA0leW4OYqBDSCzy3hJrfCgVG9S4QJUxSVln6RVn0X9Xc0Ab/+2UgLFlBmPsjR5W2XzJT/fuCrctmkbyDWVKrX6jpZ1J6UYuX248s/pEa7gNY6DVMiGkfaM94JAWpUi98o7ZfJIujyL6mya2l5nX2SglL5Le3kpO0rq17J9JVVe1peoKeZsYsvE83Xga/BH59+uuXy509cwP7pp9tWdrqM8NrGIedhzRPZTAoPnFhzih5GnYF0yQ1I+pwsnBSopJCmcifncDKzuJijpZNzMBZOJqTlTJ/0BZEy8/WwP6BY3HC7olGBrgqyUoDMSHs5lWQDiwlFvt7ApA+W9EtFWtBYV8WEbBJjotD2ALw1MyDt7aKLLBx5pQOphaWCtKesFu8lKpXw4yctf6loqZIyswCpR6c62Vvacmrey+7MOmMjc1jULsVlBdQxaZAYdqwQIYT5C9Dxmy+Kr7VaClkXEIqNB6hdsAzWwAzDhuDxkXSLYOvMhaW9UMhDSYKtH5MUb9AMfZSZpeOvmowPFuSqyUZhSalP0voK1dgtVnPfAe7+HDcFt3CeCpDaedSd8EsiEUqS9mPjxk8bss/e7XTcGjLiWvzH7/9z8OMDF4EdsmKL6mtD9IWMFLD8oMwE1cgaT8IDluWO0JzH2UuyBv2KRanoEiY0NZYGyszkaqT3IB+C81bqGbjczPlviALG0YSAMFrT8xyyJc9MFc6O6OshTKSPvRNInUmBnkHKNjphjmFmPUebUcZ92Qi1sVhg38nTWnNEBiTsiD4Kif/m6MAIUVlLrAqgXgA9ke49IfMWY2GyNDGk9jRbo3IfWN2sA3TOCMkHY5hLn0dYLNJF2A3kHpSWSkIvdHrQvxdIjqnYSjET6/riIspAUi6A7VxzOdh5PhlZfo5lqQJ/jD4P3aqrJiHVBz2fhyw7KyP+t7aLjJ2uQsdsfOJ6J4zO3MXxTenISlTbusi9U1TcumNV1qlyZEPWKlDkUhP3ZTGv9gDFyufjgnxuXtKJtTnr9mo4OkKuYhTcqUXPPm81krAz9Hjsdra+uwh3d/NcihwKLMuQqfTU2KKejToQRqnAqr7Rdwsy0dIcAPSORI5auoLdHtJl3efGc/fN6JtPjmyD3jXcxwCojradoR+3B2Zgg5urJuRDSDnSmauRw+nIWH82CArcRQX6jpMovLHaHC9p3cQaVXeTlQtVtLSyQLtYperp+zOONcwyye9R1XgcnH44h+/OdgJ/XHp8Jp0Z23KjA5gAQ6aAeU4a7irlJVwHBKtqSQelJddf2aICwnA64JVebqBLhn57V7+e7GRBqezAzUItsDcEq9lBvcx/1kBdSVcqXDg2YRiINNk3zqEio2M7U+kMsirkus4DdVRewENVlsZyoXlCVZEDtLQ+WQqB8ENYec07/vH7f5f0XMMgTKUymFCQUrs/yl2fJlxVsZRSkJHcN2sf4d0dzMlSrVjIJ0u1LpaGuf9myK2dNl2tZW2Q3stCLlnjsGacS7JoRb46Tdt77Ddsxzsc0M1soGZVrKd1la+71Ei/CCoKDDVWmYaJbWLtPAIt7otQr6fS0hyVglNjm5NmfSg8gxlpsrEdbnphqYWqsjr5JEEy+jAA4vOk4+iVGqR3W2G4HLlpffbIaZx3fnvG/tHGN7KDe+O1n7eV8JVNDG9vlu37ksDwnrPex3P4+P05fHsO0kNBqGuzdtv9WnPKYLIA3G6lsHhCynA18+a5EiwpzC29aw0SsTAO/ub9h5fOcYNdxu/Xvj/KGPeNhsek4V+Xij3s+/DGvjf2/Wns++6NfW/s+9PY9/GNfW/seyX2tfdbsiBTHXP2GTcEnPpw5JYifzafuWvmMwxTKML+seKTW7ijXp0PoYqXyis3pbhifgg/xErcYDYu2wX4cUdJYbTc+R35CuDVQW7nfvNvYLRaMGFlxoo1OjggjRNFWTBBUSkvS7W6sev/vWuD+ohuWo6XurPI4KnmCmL9hqKP8JXWpFLXrQd6pb17DQLgtP7pyMPD7efRPRgLN6MHEmcX7/4fAAD//9P+vRI=" } diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml index 4fa1094f56f..5d684649862 100644 --- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml +++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml @@ -147,3 +147,147 @@ type: keyword description: > Virtual system instance + + - name: client_os_ver + type: keyword + description: > + The client device’s OS version. + + - name: client_os + type: keyword + description: > + The client device’s OS version. + + - name: client_ver + type: keyword + description: > + The client’s GlobalProtect app version. + + - name: stage + type: keyword + example: before-login + description: > + A string showing the stage of the connection + + - name: actionflags + type: keyword + description: > + A bit field indicating if the log was forwarded to Panorama. + + - name: error + type: keyword + description: > + A string showing that error that has occurred in any event. + + - name: error_code + type: integer + description: > + An integer associated with any errors that occurred. + + - name: repeatcnt + type: integer + description: > + The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred. + + - name: serial_number + type: keyword + description: > + The serial number of the user’s machine or device. + + - name: auth_method + type: keyword + example: LDAP + description: > + A string showing the authentication type + + - name: datasource + type: keyword + description: > + Source from which mapping information is collected. + + - name: datasourcetype + type: keyword + description: > + Mechanism used to identify the IP/User mappings within a data source. + + - name: datasourcename + type: keyword + description: > + User-ID source that sends the IP (Port)-User Mapping. + + - name: factorno + type: integer + description: > + Indicates the use of primary authentication (1) or additional factors (2, 3). + + - name: factortype + type: keyword + description: > + Vendor used to authenticate a user when Multi Factor authentication is present. + + - name: factorcompletiontime + type: date + description: > + Time the authentication was completed. + + - name: ugflags + type: keyword + description: | + Displays whether the user group that was found during user group mapping. Supported values are: + User Group Found—Indicates whether the user could be mapped to a group. + Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found. + + - name: device_group_hierarchy + type: group + description: > + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + fields: + - name: level_1 + type: keyword + description: > + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + - name: level_2 + type: keyword + description: > + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + - name: level_3 + type: keyword + description: > + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + - name: level_4 + type: keyword + description: > + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. + + - name: timeout + type: integer + description: > + Timeout after which the IP/User Mappings are cleared. + + - name: vsys_id + type: keyword + description: > + A unique identifier for a virtual system on a Palo Alto Networks firewall. + + - name: vsys_name + type: keyword + description: > + The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. + + - name: description + type: keyword + description: > + Additional information for any event that has occurred. + + - name: tunnel_type + type: keyword + description: > + The type of tunnel (either SSLVPN or IPSec). diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index f56e2ecba39..ee31557afb0 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -172,6 +172,91 @@ processors: destination.user.email: 52 observer.hostname: 59 + - extract_array: + when: + equals: + panw.panos.type: GLOBALPROTECT + field: csv + omit_empty: true + overwrite_keys: true + fail_on_error: false + mappings: + panw.panos.virtual_sys: 7 + event.code: 8 + panw.panos.stage: 9 + panw.panos.auth_method: 10 + panw.panos.tunnel_type: 11 + _temp_.srcuser: 12 + _temp_.srcloc: 13 + host.name: 14 + source.nat.ip: 15 + client.nat.ip: 15 + _temp_.public_ipv6: 16 + host.ip: 17 + source.ip: 17 + client.ip: 17 + source.address: 17 + client.address: 17 + _temp_.private_ipv6: 18 + host.id: 19 + panw.panos.serial_number: 20 + panw.panos.client_ver: 21 + host.os.family: 22 + host.os.full: 23 + panw.panos.repeatcnt: 24 + event.reason: 25 + panw.panos.error: 26 + panw.panos.description: 27 + event.outcome: 28 + observer.geo.name: 29 + event.duration: 30 + panw.panos.connect_method: 31 + panw.panos.error_code: 32 + observer.hostname: 33 + panw.panos.sequence_number: 34 + panw.panos.actionflags: 35 + + - extract_array: + when: + equals: + panw.panos.type: USERID + field: csv + omit_empty: true + overwrite_keys: true + fail_on_error: false + mappings: + event.action: 4 + panw.panos.virtual_sys: 7 + client.ip: 8 + source.ip: 8 + source.address: 8 + _temp_.srcuser: 9 + panw.panos.datasourcename: 10 + event.code: 11 + panw.panos.repeatcnt: 12 + panw.panos.timeout: 13 + source.port: 14 + client.port: 14 + destination.port: 15 + server.port: 15 + panw.panos.datasource: 16 + panw.panos.datasourcetype: 17 + panw.panos.sequence_number: 18 + panw.panos.actionflags: 19 + panw.panos.device_group_hierarchy.level_1: 20 + panw.panos.device_group_hierarchy.level_2: 21 + panw.panos.device_group_hierarchy.level_3: 22 + panw.panos.device_group_hierarchy.level_4: 23 + panw.panos.vsys_name: 24 + observer.hostname: 25 + panw.panos.vsys_id: 26 + panw.panos.factortype: 27 + panw.panos.factorcompletiontime: 28 + panw.panos.factorno: 29 + panw.panos.ugflags: 30 + source.user.name: 31 + client.user.name: 31 + - drop_fields: fields: - csv @@ -190,15 +275,6 @@ processors: internal_zones: {{ .internal_zones | tojson }} {{ end }} - - community_id: ~ - - - community_id: - target: panw.panos.network.nat.community_id - fields: - source_ip: source.nat.ip - source_port: source.nat.port - destination_ip: destination.nat.ip - destination_port: destination.nat.port # Copy NAT data from ECS fields to the original non-ECS fields to retain # backward compatibility. This should be removed for 8.0. diff --git a/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml b/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml new file mode 100644 index 00000000000..66edbd302f2 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml @@ -0,0 +1,36 @@ +--- +description: Pipeline for PanOS Global Protect Logs +processors: + - set: + field: source.ip + value: "{{_temp_.private_ipv6}}" + if: ctx?._temp_?.private_ipv6 != "" && ctx?._temp_?.private_ipv6 != "0.0.0.0" + - set: + field: source.nat.ip + value: "{{_temp_.public_ipv6}}" + if: ctx?._temp_?.public_ipv6 != "" && ctx?._temp_?.public_ipv6 != "0.0.0.0" + - grok: + field: _temp_.srcuser + ignore_missing: true + patterns: + - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}' + - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}' + - '%{USERNAME:source.user.name}' + if: ctx?._temp_?.srcuser != null + - set: + field: network.type + value: 'ipv4' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")' + - set: + field: network.type + value: 'ipv6' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")' + +on_failure: + - append: + field: error.message + value: >- + error in Global Protect pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 6fdd0cac2ef..60845882733 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -1,624 +1,533 @@ description: "Pipeline for Palo Alto Networks PAN-OS Logs" processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' -# keep message as log.original. - - rename: - field: message - target_field: log.original + # keep message as log.original. + - rename: + field: message + target_field: log.original # Get the timezone from the IETF header if present. Otherwise the timezone # value added by the add_locale processor will be used. - - grok: - field: _temp_.ietf_header - patterns: - - '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' - ignore_failure: true - -# Set @timestamp to the time when the entry was generated at the data plane. - - date: - if: "ctx.event.timezone == null" - field: "_temp_.generated_time" - formats: - - "yyyy/MM/dd HH:mm:ss" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - - date: - if: "ctx.event.timezone != null" - field: "_temp_.generated_time" - formats: - - "yyyy/MM/dd HH:mm:ss" - timezone: "{{ event.timezone }}" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# event.created is the time the event was received at the management plane. - - date: - if: "ctx.event.timezone == null && ctx.event.created != null " - field: "event.created" - target_field: "event.created" - formats: - - "yyyy/MM/dd HH:mm:ss" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - - date: - if: "ctx.event.timezone != null && ctx.event.created != null " - field: "event.created" - target_field: "event.created" - formats: - - "yyyy/MM/dd HH:mm:ss" - timezone: "{{ event.timezone }}" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# event.start (traffic only) is the time the session started. - - date: - if: "ctx.event.timezone == null && ctx.event.start != null" - field: "event.start" - target_field: "event.start" - formats: - - "yyyy/MM/dd HH:mm:ss" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - - date: - if: "ctx.event.timezone != null && ctx.event.start != null" - field: "event.start" - target_field: "event.start" - timezone: "{{ event.timezone }}" - formats: - - "yyyy/MM/dd HH:mm:ss" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# convert integer fields as the output of the CSV processor is always a string. - - convert: { type: long, ignore_missing: true, field: client.bytes } - - convert: { type: long, ignore_missing: true, field: client.packets } - - convert: { type: long, ignore_missing: true, field: client.port } - - convert: { type: long, ignore_missing: true, field: server.bytes } - - convert: { type: long, ignore_missing: true, field: server.packets } - - convert: { type: long, ignore_missing: true, field: server.port } - - convert: { type: long, ignore_missing: true, field: source.bytes } - - convert: { type: long, ignore_missing: true, field: source.packets } - - convert: { type: long, ignore_missing: true, field: source.port } - - convert: { type: long, ignore_missing: true, field: destination.bytes } - - convert: { type: long, ignore_missing: true, field: destination.packets } - - convert: { type: long, ignore_missing: true, field: destination.port } - - convert: { type: long, ignore_missing: true, field: network.bytes } - - convert: { type: long, ignore_missing: true, field: network.packets } - - convert: { type: long, ignore_missing: true, field: event.duration } - - convert: { type: long, ignore_missing: true, field: _temp_.labels } - - convert: { type: long, ignore_missing: true, field: panw.panos.sequence_number } - - convert: { type: long, ignore_missing: true, field: source.nat.port } - - convert: { type: long, ignore_missing: true, field: destination.nat.port } - - convert: { type: long, ignore_missing: true, field: client.nat.port } - - convert: { type: long, ignore_missing: true, field: server.nat.port } - -# Remove PCAP ID when zero (no packet capture). - - remove: - if: 'ctx?.panw?.panos?.network?.pcap_id == "0"' - field: - - panw.panos.network.pcap_id - -# Extract 'flags' bitfield into labels. - - script: - lang: painless - if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0' - params: - pcap_included: 0x80000000 - ipv6_session: 0x02000000 - ssl_decrypted: 0x01000000 - url_filter_denied: 0x00800000 - nat_translated: 0x00400000 - captive_portal: 0x00200000 - x_forwarded_for: 0x00080000 - http_proxy: 0x00040000 - container_page: 0x00008000 - temporary_match: 0x00002000 - symmetric_return: 0x00000800 - source: > - def labels = ctx?.labels; - if (labels == null) { + - grok: + field: _temp_.ietf_header + patterns: + - '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' + ignore_failure: true + + # Set @timestamp to the time when the entry was generated at the data plane. + - date: + if: "ctx.event.timezone == null" + field: "_temp_.generated_time" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx.event.timezone != null" + field: "_temp_.generated_time" + formats: + - "yyyy/MM/dd HH:mm:ss" + timezone: "{{ event.timezone }}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + + # event.created is the time the event was received at the management plane. + - date: + if: "ctx.event.timezone == null && ctx.event.created != null " + field: "event.created" + target_field: "event.created" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx.event.timezone != null && ctx.event.created != null " + field: "event.created" + target_field: "event.created" + formats: + - "yyyy/MM/dd HH:mm:ss" + timezone: "{{ event.timezone }}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + + # event.start (traffic only) is the time the session started. + - date: + if: "ctx.event.timezone == null && ctx.event.start != null" + field: "event.start" + target_field: "event.start" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx.event.timezone != null && ctx.event.start != null" + field: "event.start" + target_field: "event.start" + timezone: "{{ event.timezone }}" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + + # convert integer fields as the output of the CSV processor is always a string. + - convert: { type: long, ignore_missing: true, field: client.bytes } + - convert: { type: long, ignore_missing: true, field: client.packets } + - convert: { type: long, ignore_missing: true, field: client.port } + - convert: { type: long, ignore_missing: true, field: server.bytes } + - convert: { type: long, ignore_missing: true, field: server.packets } + - convert: { type: long, ignore_missing: true, field: server.port } + - convert: { type: long, ignore_missing: true, field: source.bytes } + - convert: { type: long, ignore_missing: true, field: source.packets } + - convert: { type: long, ignore_missing: true, field: source.port } + - convert: { type: long, ignore_missing: true, field: destination.bytes } + - convert: { type: long, ignore_missing: true, field: destination.packets } + - convert: { type: long, ignore_missing: true, field: destination.port } + - convert: { type: long, ignore_missing: true, field: network.bytes } + - convert: { type: long, ignore_missing: true, field: network.packets } + - convert: { type: long, ignore_missing: true, field: event.duration } + - convert: { type: long, ignore_missing: true, field: _temp_.labels } + - convert: { type: long, ignore_missing: true, field: panw.panos.sequence_number } + - convert: { type: long, ignore_missing: true, field: source.nat.port } + - convert: { type: long, ignore_missing: true, field: destination.nat.port } + - convert: { type: long, ignore_missing: true, field: client.nat.port } + - convert: { type: long, ignore_missing: true, field: server.nat.port } + - convert: { type: integer, ignore_missing: true, field: panw.panos.factorno } + - convert: { type: integer, ignore_missing: true, field: panw.panos.repeatcnt } + - convert: { type: integer, ignore_missing: true, field: panw.panos.timeout } + + - community_id: + ignore_missing: true + + - community_id: + target_field: panw.panos.network.nat.community_id + ignore_missing: true + ignore_failure: true + source_ip: source.nat.ip + source_port: source.nat.port + destination_ip: destination.nat.ip + destination_port: destination.nat.port + + # Remove PCAP ID when zero (no packet capture). + - remove: + if: 'ctx?.panw?.panos?.network?.pcap_id == "0"' + field: + - panw.panos.network.pcap_id + + # Extract 'flags' bitfield into labels. + - script: + lang: painless + if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0' + params: + pcap_included: 0x80000000 + ipv6_session: 0x02000000 + ssl_decrypted: 0x01000000 + url_filter_denied: 0x00800000 + nat_translated: 0x00400000 + captive_portal: 0x00200000 + x_forwarded_for: 0x00080000 + http_proxy: 0x00040000 + container_page: 0x00008000 + temporary_match: 0x00002000 + symmetric_return: 0x00000800 + source: > + def labels = ctx?.labels; + if (labels == null) { labels = new HashMap(); ctx['labels'] = labels; - } - long value = ctx._temp_.labels; - for (entry in params.entrySet()) { + } + long value = ctx._temp_.labels; + for (entry in params.entrySet()) { if ((value & entry.getValue()) != 0) { labels[entry.getKey()] = true; } - } - -# normalize event.duration and determine event.end. - - script: - lang: painless - if: 'ctx?.event?.duration != null' - params: - NANOS_IN_A_SECOND: 1000000000 - source: > - long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND; - ctx['event']['duration'] = nanos; - def start = ctx.event?.start; - if (start != null) { + } + + # normalize event.duration and determine event.end. + - script: + lang: painless + if: 'ctx?.event?.duration != null' + params: + NANOS_IN_A_SECOND: 1000000000 + source: > + long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND; + ctx['event']['duration'] = nanos; + def start = ctx.event?.start; + if (start != null) { ctx.event['end'] = ZonedDateTime.parse(start).plusNanos(nanos); - } - -# Set network.direction using src/dst zone (traffic logs). - - set: - field: network.direction - value: inbound - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - - set: - field: network.direction - value: outbound - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: internal - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: external - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.external_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: unknown - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ( - ( - !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && - !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone) - ) || - ( - !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && - !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone) - ) - ) -# Set network.direction from threat direction (Threat logs). - - set: - field: network.direction - value: inbound - if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")' - - - set: - field: network.direction - value: outbound - if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")' - - - set: - field: network.direction - value: unknown - if: 'ctx?.panw?.panos?.type == "THREAT" && ctx?.network?.direction == null' - -# Set network.type for TRAFFIC. - - set: - field: network.type - value: 'ipv4' - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session == null' - - set: - field: network.type - value: 'ipv6' - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session != null' - - # Set event.category depending on log type. - - set: - field: event.kind - value: event - if: 'ctx?.panw?.panos?.type == "TRAFFIC"' - - append: - field: event.category - allow_duplicates: false - value: - - network_traffic - - network - if: 'ctx?.panw?.panos?.type == "TRAFFIC"' - - set: - field: event.kind - value: alert - if: 'ctx?.panw?.panos?.type == "THREAT"' - - append: - field: event.category - allow_duplicates: false - value: - - security_threat - - intrusion_detection - - network - if: 'ctx?.panw?.panos?.type == "THREAT"' - - append: - field: event.type - allow_duplicates: false - value: allowed - if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)" - - append: - field: event.type - allow_duplicates: false - value: denied - if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)" - - set: - field: event.outcome - value: success - - -# event.action for traffic logs. - - set: - field: event.action - value: flow_started - if: 'ctx?.panw?.panos?.sub_type == "start"' - - append: - field: event.type - allow_duplicates: false - value: - - start - - connection - if: 'ctx?.panw?.panos?.sub_type == "start"' - - set: - field: event.action - value: flow_terminated - if: 'ctx?.panw?.panos?.sub_type == "end"' - - append: - field: event.type - allow_duplicates: false - value: - - end - - connection - if: 'ctx?.panw?.panos?.sub_type == "end"' - - set: - field: event.action - value: flow_dropped - if: 'ctx?.panw?.panos?.sub_type == "drop"' - - append: - field: event.type - allow_duplicates: false - value: - - denied - - connection - if: 'ctx?.panw?.panos?.sub_type == "drop"' - - set: - field: event.action - value: flow_denied - if: 'ctx?.panw?.panos?.sub_type == "deny"' - - append: - field: event.type - allow_duplicates: false - value: - - denied - - connection - if: 'ctx?.panw?.panos?.sub_type == "deny"' - -# event.action for threat logs. - - set: - field: event.action - value: data_match - if: 'ctx?.panw?.panos?.sub_type == "data"' - - set: - field: event.action - value: file_match - if: 'ctx?.panw?.panos?.sub_type == "file"' - - set: - field: event.action - value: flood_detected - if: 'ctx?.panw?.panos?.sub_type == "flood"' - - set: - field: event.action - value: packet_attack - if: 'ctx?.panw?.panos?.sub_type == "packet"' - - set: - field: event.action - value: scan_detected - if: 'ctx?.panw?.panos?.sub_type == "scan"' - - set: - field: event.action - value: spyware_detected - if: 'ctx?.panw?.panos?.sub_type == "spyware"' - - set: - field: event.action - value: url_filtering - if: 'ctx?.panw?.panos?.sub_type == "url"' - - set: - field: event.action - value: virus_detected - if: 'ctx?.panw?.panos?.sub_type == "virus"' - - set: - field: event.action - value: exploit_detected - if: 'ctx?.panw?.panos?.sub_type == "vulnerability"' - - set: - field: event.action - value: wildfire_verdict - if: 'ctx?.panw?.panos?.sub_type == "wildfire"' - - set: - field: event.action - value: wildfire_virus_detected - if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"' - - -# Set numeric log.level from event.severity. - - set: - field: "event.severity" - if: 'ctx.log.level == "critical"' - value: 1 - - set: - field: "event.severity" - if: 'ctx.log.level == "high"' - value: 2 - - set: - field: "event.severity" - if: 'ctx.log.level == "medium"' - value: 3 - - set: - field: "event.severity" - if: 'ctx.log.level == "low"' - value: 4 - - set: - field: "event.severity" - if: 'ctx.log.level == "informational"' - value: 5 - -# Normalize event.outcome. -# These values appear in the TRAFFIC docs but look like a mistake. - - set: - field: panw.panos.action - value: 'drop-icmp' - if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"' - - set: - field: panw.panos.action - value: 'reset-both' - if: 'ctx?.panw?.panos?.action == "reset both"' - - set: - field: panw.panos.action - value: 'reset-client' - if: 'ctx?.panw?.panos?.action == "reset client"' - - set: - field: panw.panos.action - value: 'reset-server' - if: 'ctx?.panw?.panos?.action == "reset server"' - -# Build related.ip array from src/dest/NAT IPs. - - append: - if: 'ctx?.source?.ip != null' - field: related.ip - allow_duplicates: false - value: - - '{{source.ip}}' - - append: - if: 'ctx?.destination?.ip != null' - field: related.ip - allow_duplicates: false - value: - - '{{destination.ip}}' - - append: - if: 'ctx?.source?.nat?.ip != null' - field: related.ip - allow_duplicates: false - value: - - '{{source.nat.ip}}' - - append: - if: 'ctx?.destination?.nat?.ip != null' - field: related.ip - allow_duplicates: false - value: - - '{{destination.nat.ip}}' - -# Geolocation for source. - - geoip: - if: 'ctx?.source?.ip != null' - field: source.ip - target_field: source.geo - -# Geolocation for destination. - - geoip: - if: 'ctx?.destination?.ip != null' - field: destination.ip - target_field: destination.geo - -# IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -# Set source|destination.geo.name from panw's srcloc|dstloc - - rename: - if: 'ctx.source?.geo?.name == null' - field: _temp_.srcloc - target_field: source.geo.name - ignore_missing: true - - rename: - if: 'ctx.destination?.geo?.name == null' - field: _temp_.dstloc - target_field: destination.geo.name - ignore_missing: true - -# Append NAT community_id to network.community_id - - append: - if: 'ctx?.panw?.panos?.network?.nat?.community_id != null' - field: network.community_id - allow_duplicates: false - value: + } + +## TRAFFIC + - pipeline: + if: ctx?.panw?.panos?.type == "TRAFFIC" + name: '{< IngestPipeline "traffic" >}' + +## THREAT + - pipeline: + if: ctx?.panw?.panos?.type == "THREAT" + name: '{< IngestPipeline "threat" >}' + +## GLOBAL PROTECT + - pipeline: + if: ctx?.panw?.panos?.type == "GLOBALPROTECT" + name: '{< IngestPipeline "globalprotect" >}' + +## USER ID + - pipeline: + if: ctx?.panw?.panos?.type == "USERID" + name: '{< IngestPipeline "userid" >}' + + - append: + field: event.type + allow_duplicates: false + value: allowed + if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)" + - append: + field: event.type + allow_duplicates: false + value: denied + if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)" + - set: + field: event.outcome + value: success + + # event.action for traffic logs. + - set: + field: event.action + value: flow_started + if: 'ctx?.panw?.panos?.sub_type == "start"' + - append: + field: event.type + allow_duplicates: false + value: + - start + - connection + if: 'ctx?.panw?.panos?.sub_type == "start"' + - set: + field: event.action + value: flow_terminated + if: 'ctx?.panw?.panos?.sub_type == "end"' + - append: + field: event.type + allow_duplicates: false + value: + - end + - connection + if: 'ctx?.panw?.panos?.sub_type == "end"' + - set: + field: event.action + value: flow_dropped + if: 'ctx?.panw?.panos?.sub_type == "drop"' + - append: + field: event.type + allow_duplicates: false + value: + - denied + - connection + if: 'ctx?.panw?.panos?.sub_type == "drop"' + - set: + field: event.action + value: flow_denied + if: 'ctx?.panw?.panos?.sub_type == "deny"' + - append: + field: event.type + allow_duplicates: false + value: + - denied + - connection + if: 'ctx?.panw?.panos?.sub_type == "deny"' + + # event.action for threat logs. + - set: + field: event.action + value: data_match + if: 'ctx?.panw?.panos?.sub_type == "data"' + - set: + field: event.action + value: file_match + if: 'ctx?.panw?.panos?.sub_type == "file"' + - set: + field: event.action + value: flood_detected + if: 'ctx?.panw?.panos?.sub_type == "flood"' + - set: + field: event.action + value: packet_attack + if: 'ctx?.panw?.panos?.sub_type == "packet"' + - set: + field: event.action + value: scan_detected + if: 'ctx?.panw?.panos?.sub_type == "scan"' + - set: + field: event.action + value: spyware_detected + if: 'ctx?.panw?.panos?.sub_type == "spyware"' + - set: + field: event.action + value: url_filtering + if: 'ctx?.panw?.panos?.sub_type == "url"' + - set: + field: event.action + value: virus_detected + if: 'ctx?.panw?.panos?.sub_type == "virus"' + - set: + field: event.action + value: exploit_detected + if: 'ctx?.panw?.panos?.sub_type == "vulnerability"' + - set: + field: event.action + value: wildfire_verdict + if: 'ctx?.panw?.panos?.sub_type == "wildfire"' + - set: + field: event.action + value: wildfire_virus_detected + if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"' + + + # Set numeric log.level from event.severity. + - set: + field: "event.severity" + if: 'ctx?.log?.level == "critical"' + value: 1 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "high"' + value: 2 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "medium"' + value: 3 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "low"' + value: 4 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "informational"' + value: 5 + + # Normalize event.outcome. + # These values appear in the TRAFFIC docs but look like a mistake. + - lowercase: + field: panw.panos.action + ignore_missing: true + - gsub: + field: panw.panos.action + pattern: \s + replacement: "-" + ignore_missing: true + + # Build related.ip array from src/dest/NAT IPs. + - append: + if: 'ctx?.source?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{source.ip}}' + - append: + if: 'ctx?.destination?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{destination.ip}}' + - append: + if: 'ctx?.source?.nat?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{source.nat.ip}}' + - append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{destination.nat.ip}}' + + # Geolocation for source. + - geoip: + if: 'ctx?.source?.ip != null' + field: source.ip + target_field: source.geo + + # Geolocation for destination. + - geoip: + if: 'ctx?.destination?.ip != null' + field: destination.ip + target_field: destination.geo + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + # Set source|destination.geo.name from panw's srcloc|dstloc + - rename: + if: 'ctx.source?.geo?.name == null' + field: _temp_.srcloc + target_field: source.geo.name + ignore_missing: true + - rename: + if: 'ctx.destination?.geo?.name == null' + field: _temp_.dstloc + target_field: destination.geo.name + ignore_missing: true + + # Append NAT community_id to network.community_id + - append: + if: 'ctx?.panw?.panos?.network?.nat?.community_id != null' + field: network.community_id + allow_duplicates: false + value: - '{{panw.panos.network.nat.community_id}}' - - grok: - if: 'ctx?.panw?.panos?.threat?.name != null' - field: panw.panos.threat.name - ignore_failure: true - patterns: - - '%{GREEDYDATA:panw.panos.threat.name}\(\s*%{GREEDYDATA:panw.panos.threat.id}\s*\)' - - - set: - field: panw.panos.threat.name - value: 'URL-filtering' - if: 'ctx?.panw?.panos?.threat?.id == "9999"' - - - set: - field: rule.name - value: "{{panw.panos.ruleset}}" - ignore_empty_value: true - -# Set url and file values - - rename: - if: 'ctx?.panw?.panos?.sub_type != "url"' - field: url.original - target_field: file.name - ignore_missing: true - - - grok: - field: url.original - patterns: - - '(%{ANY:url.scheme}\:\/\/)?(%{USERNAME:url.username}(\:%{PASSWORD:url.password})?\@)?%{DOMAIN:url.domain}(\:%{POSINT:url.port})?(%{PATH:url.path})?(\?%{QUERY:url.query})?(\#%{ANY:url.fragment})?' - ignore_missing: true - pattern_definitions: - USERNAME: '[^\:]*' - PASSWORD: '[^@]*' - DOMAIN: '[^\/\?#\:]*' - PATH: '[^\?#]*' - QUERY: '[^#]*' - ANY: '.*' - if: 'ctx?.url?.original != null && ctx?.url?.original != "-/" && ctx?.url?.original != ""' - - - grok: - field: url.path - patterns: - - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:url.extension}))?' - ignore_missing: true - pattern_definitions: - FILENAME: '[^\.]+' - ANY: '.*' - if: 'ctx?.url?.path != null && ctx?.url?.path != ""' - - - grok: - field: file.name - patterns: - - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:file.extension}))?' - ignore_missing: true - pattern_definitions: - FILENAME: '[^\.]+' - ANY: '.*' - if: 'ctx?.file?.name != null && ctx?.file?.name != ""' - - - append: - field: related.user - allow_duplicates: false - value: "{{client.user.name}}" - if: "ctx?.client?.user?.name != null" - - - append: - field: related.user - allow_duplicates: false - value: "{{source.user.name}}" - if: "ctx?.source?.user?.name != null" - - - append: - field: related.user - allow_duplicates: false - value: "{{server.user.name}}" - if: "ctx?.server?.user?.name != null" - - - append: - field: related.user - allow_duplicates: false - value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" - - - append: - field: related.user - allow_duplicates: false - value: "{{url.username}}" - if: "ctx?.url?.username != null && ctx?.url?.username != ''" - allow_duplicates: false - - - append: - field: related.hash - allow_duplicates: false - value: "{{panw.panos.file.hash}}" - if: "ctx?.panw?.panos?.file?.hash != null" - - - append: - field: related.hosts - allow_duplicates: false - value: "{{observer.hostname}}" - if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" - allow_duplicates: false - - - append: - field: related.hosts - allow_duplicates: false - value: "{{url.domain}}" - if: "ctx?.url?.domain != null && ctx.url?.domain != ''" - allow_duplicates: false - -# Remove temporary fields. - - remove: - field: - - _temp_ - ignore_missing: true - -# Remove NAT fields when translation was not done. - - remove: - field: - - source.nat.ip - - source.nat.port - - client.nat.ip - - client.nat.port - if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0' - - remove: - field: - - destination.nat.ip - - destination.nat.port - - server.nat.ip - - server.nat.port - if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0' + - set: + field: rule.name + value: "{{panw.panos.ruleset}}" + ignore_empty_value: true + + # Set url and file values + - rename: + if: 'ctx?.panw?.panos?.sub_type != "url"' + field: url.original + target_field: file.name + ignore_missing: true + + - grok: + field: url.original + patterns: + - '(%{ANY:url.scheme}\:\/\/)?(%{USERNAME:url.username}(\:%{PASSWORD:url.password})?\@)?%{DOMAIN:url.domain}(\:%{POSINT:url.port})?(%{PATH:url.path})?(\?%{QUERY:url.query})?(\#%{ANY:url.fragment})?' + ignore_missing: true + pattern_definitions: + USERNAME: '[^\:]*' + PASSWORD: '[^@]*' + DOMAIN: '[^\/\?#\:]*' + PATH: '[^\?#]*' + QUERY: '[^#]*' + ANY: '.*' + if: 'ctx?.url?.original != null && ctx?.url?.original != "-/" && ctx?.url?.original != ""' + + - grok: + field: url.path + patterns: + - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:url.extension}))?' + ignore_missing: true + pattern_definitions: + FILENAME: '[^\.]+' + ANY: '.*' + if: 'ctx?.url?.path != null && ctx?.url?.path != ""' + + - grok: + field: file.name + patterns: + - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:file.extension}))?' + ignore_missing: true + pattern_definitions: + FILENAME: '[^\.]+' + ANY: '.*' + if: 'ctx?.file?.name != null && ctx?.file?.name != ""' + + - set: + field: user + copy_from: source.user + if: "ctx?.source?.user != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{client.user.name}}" + if: "ctx?.client?.user?.name != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{source.user.name}}" + if: "ctx?.source?.user?.name != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{server.user.name}}" + if: "ctx?.server?.user?.name != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{destination.user.name}}" + if: "ctx?.destination?.user?.name != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{url.username}}" + if: "ctx?.url?.username != null && ctx?.url?.username != ''" + allow_duplicates: false + + - append: + field: related.hash + allow_duplicates: false + value: "{{panw.panos.file.hash}}" + if: "ctx?.panw?.panos?.file?.hash != null" + + - append: + field: related.hosts + allow_duplicates: false + value: "{{observer.hostname}}" + if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" + allow_duplicates: false + + - append: + field: related.hosts + allow_duplicates: false + value: "{{url.domain}}" + if: "ctx?.url?.domain != null && ctx.url?.domain != ''" + allow_duplicates: false + + # Remove temporary fields. + - remove: + field: + - _temp_ + ignore_missing: true + + # Remove NAT fields when translation was not done. + - remove: + field: + - source.nat.ip + - source.nat.port + - client.nat.ip + - client.nat.port + if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0' + - remove: + field: + - destination.nat.ip + - destination.nat.port + - server.nat.ip + - server.nat.port + if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0' on_failure: - set: diff --git a/x-pack/filebeat/module/panw/panos/ingest/threat.yml b/x-pack/filebeat/module/panw/panos/ingest/threat.yml new file mode 100644 index 00000000000..31ff25bbaa0 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/ingest/threat.yml @@ -0,0 +1,49 @@ +--- +description: Pipeline for PanOS Threat Logs +processors: + # Set network.direction from threat direction (Threat logs). + - set: + field: network.direction + value: inbound + if: '(ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")' + - set: + field: network.direction + value: outbound + if: '(ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")' + - set: + field: network.direction + value: unknown + if: 'ctx?.network?.direction == null' + + # Set event.category depending on log type. + - set: + field: event.kind + value: alert + - append: + field: event.category + allow_duplicates: false + value: + - security_threat + - intrusion_detection + - network + + - grok: + if: 'ctx?.panw?.panos?.threat?.name != null' + field: panw.panos.threat.name + ignore_failure: true + patterns: + - '%{GREEDYDATA:panw.panos.threat.name}\(\s*%{GREEDYDATA:panw.panos.threat.id}\s*\)' + + - set: + field: panw.panos.threat.name + value: 'URL-filtering' + if: 'ctx?.panw?.panos?.threat?.id == "9999"' + +on_failure: + - append: + field: error.message + value: >- + error in Threat pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/x-pack/filebeat/module/panw/panos/ingest/traffic.yml b/x-pack/filebeat/module/panw/panos/ingest/traffic.yml new file mode 100644 index 00000000000..0bfda89f66a --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/ingest/traffic.yml @@ -0,0 +1,87 @@ +--- +description: Pipeline for PanOS Traffic Logs +processors: + # Set network.direction using src/dst zone (traffic logs). + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone) + ) + ) + + # Set network.type for TRAFFIC. + - set: + field: network.type + value: 'ipv4' + if: 'ctx?.labels?.ipv6_session == null' + - set: + field: network.type + value: 'ipv6' + if: 'ctx?.labels?.ipv6_session != null' + + # Set event.category depending on log type. + - set: + field: event.kind + value: event + - append: + field: event.category + allow_duplicates: false + value: + - network_traffic + - network +on_failure: + - append: + field: error.message + value: >- + error in Traffic pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/x-pack/filebeat/module/panw/panos/ingest/userid.yml b/x-pack/filebeat/module/panw/panos/ingest/userid.yml new file mode 100644 index 00000000000..ce41df745f8 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/ingest/userid.yml @@ -0,0 +1,44 @@ +--- +description: Pipeline for PanOS Global ProtectUser ID Logs +processors: + - grok: + field: _temp_.srcuser + ignore_missing: true + ignore_failure: true + patterns: + - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}' + - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}' + - '%{USERNAME:source.user.name}' + if: ctx?._temp_?.srcuser != null + - set: + field: network.type + value: 'ipv4' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")' + - set: + field: network.type + value: 'ipv6' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")' + - date: + if: "ctx?.panw?.panos?.factorcompletiontime != null && ctx.event.timezone == null" + field: "panw.panos.factorcompletiontime" + target_field: "panw.panos.factorcompletiontime" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx?.panw?.panos?.factorcompletiontime != null && ctx.event.timezone != null" + field: "panw.panos.factorcompletiontime" + target_field: "panw.panos.factorcompletiontime" + formats: + - "yyyy/MM/dd HH:mm:ss" + timezone: "{{ event.timezone }}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +on_failure: + - append: + field: error.message + value: >- + error in User ID pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml index 958a4ba7247..f159064e374 100644 --- a/x-pack/filebeat/module/panw/panos/manifest.yml +++ b/x-pack/filebeat/module/panw/panos/manifest.yml @@ -21,7 +21,12 @@ var: default: - untrust -ingest_pipeline: ingest/pipeline.yml +ingest_pipeline: + - ingest/pipeline.yml + - ingest/traffic.yml + - ingest/threat.yml + - ingest/globalprotect.yml + - ingest/userid.yml input: config/input.yml requires.processors: diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log b/x-pack/filebeat/module/panw/panos/test/global_protect.log new file mode 100644 index 00000000000..16196e53b9c --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log @@ -0,0 +1,5 @@ +1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect Portal,69200719497738,0x0 +1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0 +1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\user1,,HOST82878,7.2.2.193,0.0.0.0,12.30.0.210,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,"",1,,,"HIP report is not needed",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0 +1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"Config name: , Client region: BE.",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0 +1,2021/04/07 17:41:28,0131001309,GLOBALPROTECT,0,2305,2021/04/07 17:41:28,vsys1,gateway-tunnel-latency,tunnel,,,,userlterso,HOSTP92413,7.2.17.120,0.0.0.0,0.0.0.0,0.0.0.0,2ba9f01-b83b-4902-a1fb-1748c0365,GJG98Y2,5.2.4,,"",1,,,"Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms",success,,0,,0,GlobalProtect_GW,6920071768563516847,0x0 diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json new file mode 100644 index 00000000000..9ba98f30ccb --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json @@ -0,0 +1,308 @@ +[ + { + "@timestamp": "2021-03-24T11:30:00.000-02:00", + "client.address": "10.52.36.15", + "client.ip": "10.52.36.15", + "client.nat.ip": "11.134.5.168", + "event.code": "portal-prelogin", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "09300bcc-23-4900-8de9-32695452fa", + "host.ip": "10.52.36.15", + "host.os.family": "Windows", + "host.os.full": "Microsoft Windows 10 Pro , 64-bit", + "input.type": "log", + "log.offset": 0, + "log.original": "1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect Portal,69200719497738,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect Portal", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 69200719497738, + "panw.panos.source.nat.ip": "11.134.5.168", + "panw.panos.stage": "before-login", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect Portal" + ], + "related.ip": [ + "10.52.36.15", + "11.134.5.168" + ], + "service.type": "panw", + "source.address": "10.52.36.15", + "source.geo.name": "BE", + "source.ip": "10.52.36.15", + "source.nat.ip": "11.134.5.168", + "tags": [ + "pan-os", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-24T11:29:49.000-02:00", + "client.address": "10.20.13.217", + "client.ip": "10.20.13.217", + "client.nat.ip": "83.14.113.11", + "event.code": "gateway-config-release", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "e0957c11-93-437a-9e23-9f0c24059898", + "host.ip": "10.20.13.217", + "host.name": "CP935", + "host.os.family": "Windows", + "host.os.full": "Microsoft Windows 10 Pro , 64-bit", + "input.type": "log", + "log.offset": 304, + "log.original": "1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001308", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 6919501582016786, + "panw.panos.serial_number": "5J9VN53", + "panw.panos.source.nat.ip": "83.14.113.11", + "panw.panos.stage": "configuration", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "10.20.13.217", + "83.14.113.11" + ], + "related.user": [ + "user" + ], + "service.type": "panw", + "source.address": "10.20.13.217", + "source.geo.name": "BE", + "source.ip": "10.20.13.217", + "source.nat.ip": "83.14.113.11", + "source.user.domain": "domain", + "source.user.name": "user", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "domain", + "user.name": "user" + }, + { + "@timestamp": "2021-04-07T17:41:30.000-02:00", + "client.address": "12.30.0.210", + "client.ip": "12.30.0.210", + "client.nat.ip": "7.2.2.193", + "event.code": "gateway-hip-check", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "523e8b-7efa-4397-a4d5-824dfa4d8a", + "host.ip": "12.30.0.210", + "host.name": "HOST82878", + "input.type": "log", + "log.offset": 640, + "log.original": "1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\\user1,,HOST82878,7.2.2.193,0.0.0.0,12.30.0.210,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,\"\",1,,,\"HIP report is not needed\",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "013101305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.description": "HIP report is not needed", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 6920071768563516860, + "panw.panos.serial_number": "F1SM2", + "panw.panos.source.nat.ip": "7.2.2.193", + "panw.panos.stage": "host-info", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "12.30.0.210", + "7.2.2.193" + ], + "related.user": [ + "user1" + ], + "service.type": "panw", + "source.address": "12.30.0.210", + "source.as.number": 7018, + "source.as.organization.name": "AT&T Services, Inc.", + "source.geo.city_name": "Greenwood", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 39.5992, + "source.geo.location.lon": -86.13, + "source.geo.region_iso_code": "US-IN", + "source.geo.region_name": "Indiana", + "source.ip": "12.30.0.210", + "source.nat.ip": "7.2.2.193", + "source.user.domain": "domain", + "source.user.name": "user1", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "domain", + "user.name": "user1" + }, + { + "@timestamp": "2021-04-07T17:41:29.000-02:00", + "client.address": "1.40.2.67", + "client.ip": "1.40.2.67", + "client.nat.ip": "7.2.2.171", + "event.code": "gateway-getconfig", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "7d01b5-f538-4fa3-a2a2-83980d1325", + "host.ip": "1.40.2.67", + "host.name": "HOST73486", + "host.os.family": "Windows", + "host.os.full": "Microsoft Windows 10 Pro , 64-bit", + "input.type": "log", + "log.offset": 946, + "log.original": "1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"Config name: , Client region: BE.\",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "013101308", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.description": "Config name: , Client region: BE.", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 6944137135219737, + "panw.panos.serial_number": "5C261FNR", + "panw.panos.source.nat.ip": "7.2.2.171", + "panw.panos.stage": "configuration", + "panw.panos.sub_type": "0", + "panw.panos.tunnel_type": "IPSec", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "1.40.2.67", + "7.2.2.171" + ], + "related.user": [ + "pre-logon" + ], + "service.type": "panw", + "source.address": "1.40.2.67", + "source.as.number": 4804, + "source.as.organization.name": "Microplex PTY LTD", + "source.geo.city_name": "Seven Hills", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", + "source.geo.location.lat": -33.777, + "source.geo.location.lon": 150.9373, + "source.geo.name": "BE", + "source.geo.region_iso_code": "AU-NSW", + "source.geo.region_name": "New South Wales", + "source.ip": "1.40.2.67", + "source.nat.ip": "7.2.2.171", + "source.user.name": "pre-logon", + "tags": [ + "pan-os", + "forwarded" + ], + "user.name": "pre-logon" + }, + { + "@timestamp": "2021-04-07T17:41:28.000-02:00", + "client.address": "0.0.0.0", + "client.ip": "0.0.0.0", + "client.nat.ip": "7.2.17.120", + "event.code": "gateway-tunnel-latency", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "2ba9f01-b83b-4902-a1fb-1748c0365", + "host.ip": "0.0.0.0", + "host.name": "HOSTP92413", + "input.type": "log", + "log.offset": 1307, + "log.original": "1,2021/04/07 17:41:28,0131001309,GLOBALPROTECT,0,2305,2021/04/07 17:41:28,vsys1,gateway-tunnel-latency,tunnel,,,,userlterso,HOSTP92413,7.2.17.120,0.0.0.0,0.0.0.0,0.0.0.0,2ba9f01-b83b-4902-a1fb-1748c0365,GJG98Y2,5.2.4,,\"\",1,,,\"Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms\",success,,0,,0,GlobalProtect_GW,6920071768563516847,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "0131001309", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.description": "Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 6920071768563516847, + "panw.panos.serial_number": "GJG98Y2", + "panw.panos.source.nat.ip": "7.2.17.120", + "panw.panos.stage": "tunnel", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "0.0.0.0", + "7.2.17.120" + ], + "service.type": "panw", + "source.address": "0.0.0.0", + "source.geo.name": "userlterso", + "source.ip": "0.0.0.0", + "source.nat.ip": "7.2.17.120", + "tags": [ + "pan-os", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index bf6ff1e9006..55a3bf88192 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -824,6 +824,7 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index 5388af2b903..0ef46712191 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -97,7 +97,8 @@ "url.domain": "lorexx.cn", "url.extension": "exe", "url.original": "lorexx.cn/loader.exe", - "url.path": "/loader.exe" + "url.path": "/loader.exe", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -198,7 +199,8 @@ "url.extension": "php", "url.original": "lsiu.info/evo/count.php?o=2", "url.path": "/evo/count.php", - "url.query": "o=2" + "url.query": "o=2", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -299,7 +301,8 @@ "url.extension": "php", "url.original": "lsiu.info/evo/count.php?o=5", "url.path": "/evo/count.php", - "url.query": "o=5" + "url.query": "o=5", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -400,7 +403,8 @@ "url.extension": "php", "url.original": "lsiu.info/evo/count.php?o=7", "url.path": "/evo/count.php", - "url.query": "o=7" + "url.query": "o=7", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -501,7 +505,8 @@ "url.extension": "php", "url.original": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122", "url.path": "/evo/exploits/x18.php", - "url.query": "o=2&t=1241403746&i=1365814122" + "url.query": "o=2&t=1241403746&i=1365814122", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -602,7 +607,8 @@ "url.extension": "php", "url.original": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122", "url.path": "/evo/exploits/x19.php", - "url.query": "o=2&t=1241403746&i=1365814122" + "url.query": "o=2&t=1241403746&i=1365814122", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -702,7 +708,8 @@ "url.domain": "liteautobestguide.cn", "url.extension": "php", "url.original": "liteautobestguide.cn/load.php", - "url.path": "/load.php" + "url.path": "/load.php", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -802,7 +809,8 @@ "url.domain": "liteautobestguide.cn", "url.extension": "php", "url.original": "liteautobestguide.cn/index.php", - "url.path": "/index.php" + "url.path": "/index.php", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -902,7 +910,8 @@ "url.domain": "litetopdetect.cn", "url.extension": "php", "url.original": "litetopdetect.cn/index.php", - "url.path": "/index.php" + "url.path": "/index.php", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -1003,7 +1012,8 @@ "url.extension": "php", "url.original": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513", "url.path": "/fff9999.php", - "url.query": "aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513" + "url.query": "aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -1102,7 +1112,8 @@ ], "url.domain": "girlteenxxxfreemov.com", "url.original": "girlteenxxxfreemov.com/", - "url.path": "/" + "url.path": "/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -1202,7 +1213,8 @@ "url.domain": "imagesrepository.com", "url.extension": "php", "url.original": "imagesrepository.com/resolution.php", - "url.path": "/resolution.php" + "url.path": "/resolution.php", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -1303,7 +1315,8 @@ "url.extension": "php", "url.original": "hottestfiles.com/search/search.php?q=xxx", "url.path": "/search/search.php", - "url.query": "q=xxx" + "url.query": "q=xxx", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -1403,7 +1416,8 @@ "url.extension": "cgi", "url.original": "infodist1.com/in.cgi?11¶meter=404", "url.path": "/in.cgi", - "url.query": "11¶meter=404" + "url.query": "11¶meter=404", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -1503,7 +1517,8 @@ "url.domain": "cls-softwares.com", "url.extension": "php", "url.original": "cls-softwares.com/suc.php", - "url.path": "/suc.php" + "url.path": "/suc.php", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -1603,7 +1618,8 @@ "url.domain": "cls-softwares.com", "url.extension": "exe", "url.original": "cls-softwares.com/softwarefortubeview.40013.exe", - "url.path": "/softwarefortubeview.40013.exe" + "url.path": "/softwarefortubeview.40013.exe", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -1700,7 +1716,8 @@ "url.extension": "php", "url.original": "findmorepill.com/klik/search.php?q=xxx", "url.path": "/klik/search.php", - "url.query": "q=xxx" + "url.query": "q=xxx", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -1799,7 +1816,8 @@ ], "url.domain": "allowedwebsurfing.com", "url.original": "allowedwebsurfing.com/", - "url.path": "/" + "url.path": "/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -1898,7 +1916,8 @@ ], "url.domain": "antivirus-remote.com", "url.original": "antivirus-remote.com/", - "url.path": "/" + "url.path": "/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -1998,7 +2017,8 @@ "url.domain": "bklinkov.ru", "url.extension": "cfg", "url.original": "bklinkov.ru/hi/start.cfg", - "url.path": "/hi/start.cfg" + "url.path": "/hi/start.cfg", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -2097,7 +2117,8 @@ ], "url.domain": "blogsexnakedgirlxxx.com", "url.original": "blogsexnakedgirlxxx.com/", - "url.path": "/" + "url.path": "/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -2197,7 +2218,8 @@ "url.domain": "bklinkov.ru", "url.extension": "exe", "url.original": "bklinkov.ru/hi/start.exe", - "url.path": "/hi/start.exe" + "url.path": "/hi/start.exe", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -2291,7 +2313,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -2385,7 +2408,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -2479,7 +2503,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -2573,7 +2598,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -2667,7 +2693,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:45.000-02:00", @@ -2761,7 +2788,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:45.000-02:00", @@ -2855,7 +2883,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:45.000-02:00", @@ -2949,7 +2978,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:46.000-02:00", @@ -3043,7 +3073,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:46.000-02:00", @@ -3137,7 +3168,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:46.000-02:00", @@ -3231,7 +3263,8 @@ "pan-os", "forwarded" ], - "url.original": "-/" + "url.original": "-/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:43.000-02:00", @@ -3328,7 +3361,8 @@ "url.extension": "cgi", "url.original": "wantfinest.com/tds/in.cgi?default", "url.path": "/tds/in.cgi", - "url.query": "default" + "url.query": "default", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:38.000-02:00", @@ -3425,7 +3459,8 @@ "url.extension": "cgi", "url.original": "sameshitasiteverwas.com/traf/tds/in.cgi?2", "url.path": "/traf/tds/in.cgi", - "url.query": "2" + "url.query": "2", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:39.000-02:00", @@ -3521,7 +3556,8 @@ "url.domain": "svarkon.ru", "url.extension": "exe", "url.original": "svarkon.ru/update.exe", - "url.path": "/update.exe" + "url.path": "/update.exe", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:36.000-02:00", @@ -3621,7 +3657,8 @@ "url.extension": "php", "url.original": "onlinescanxpp.com/land/eurl/1.php?code=", "url.path": "/land/eurl/1.php", - "url.query": "code=" + "url.query": "code=", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:34.000-02:00", @@ -3717,7 +3754,8 @@ "url.domain": "nolagtime.com", "url.original": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6", "url.path": "/conn/", - "url.query": "JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6" + "url.query": "JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:35.000-02:00", @@ -3813,7 +3851,8 @@ "url.domain": "nolagtime.com", "url.extension": "txt", "url.original": "nolagtime.com/gwc.txt", - "url.path": "/gwc.txt" + "url.path": "/gwc.txt", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:38:19.000-02:00", @@ -3912,7 +3951,8 @@ "url.domain": "karavan.us", "url.extension": "php", "url.original": "karavan.us/bon/index.php", - "url.path": "/bon/index.php" + "url.path": "/bon/index.php", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:38:14.000-02:00", @@ -4009,7 +4049,8 @@ "url.extension": "php", "url.original": "findnolimits.com/go.php?sid=1", "url.path": "/go.php", - "url.query": "sid=1" + "url.query": "sid=1", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:38:12.000-02:00", @@ -4105,7 +4146,8 @@ "url.domain": "bizoplata.ru", "url.extension": "html", "url.original": "bizoplata.ru/moun.html", - "url.path": "/moun.html" + "url.path": "/moun.html", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:38:12.000-02:00", @@ -4201,7 +4243,8 @@ "url.domain": "bizoplata.ru", "url.extension": "html", "url.original": "bizoplata.ru/palast.html", - "url.path": "/palast.html" + "url.path": "/palast.html", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:37:28.000-02:00", @@ -4390,7 +4433,8 @@ ], "url.domain": "www.15min.it", "url.original": "www.15min.it/", - "url.path": "/" + "url.path": "/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:37:27.000-02:00", @@ -4485,7 +4529,8 @@ ], "url.domain": "tubemov.com", "url.original": "tubemov.com/", - "url.path": "/" + "url.path": "/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:37:25.000-02:00", @@ -4581,7 +4626,8 @@ "url.domain": "pagesinxt.com", "url.original": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js", "url.path": "/", - "url.query": "dn=teenstube.us&flrdr=yes&nxte=js" + "url.query": "dn=teenstube.us&flrdr=yes&nxte=js", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:37:05.000-02:00", @@ -4676,7 +4722,8 @@ ], "url.domain": "movfree.com", "url.original": "movfree.com/", - "url.path": "/" + "url.path": "/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:36:51.000-02:00", @@ -4774,7 +4821,8 @@ ], "url.domain": "gometascan.com", "url.original": "gometascan.com/", - "url.path": "/" + "url.path": "/", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:36:39.000-02:00", @@ -4873,7 +4921,8 @@ "url.domain": "antivirus-powerful-scannerv2.com", "url.extension": "exe", "url.original": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe", - "url.path": "/download/Install_11-1.exe" + "url.path": "/download/Install_11-1.exe", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:36:38.000-02:00", @@ -4972,7 +5021,8 @@ "url.domain": "antivirus-powerful-scannerv2.com", "url.original": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N", "url.path": "/1/", - "url.query": "id=11-1&back==TQzyDTyMUQNMI=N" + "url.query": "id=11-1&back==TQzyDTyMUQNMI=N", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:36:27.000-02:00", @@ -5071,7 +5121,8 @@ "url.domain": "basdzsdas.com", "url.extension": "bin", "url.original": "basdzsdas.com/poker/config.bin", - "url.path": "/poker/config.bin" + "url.path": "/poker/config.bin", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:36:27.000-02:00", @@ -5170,7 +5221,8 @@ "url.domain": "basdzsdas.com", "url.extension": "bin", "url.original": "basdzsdas.com/poker/config.bin", - "url.path": "/poker/config.bin" + "url.path": "/poker/config.bin", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:19:59.000-02:00", @@ -5363,7 +5415,8 @@ "url.domain": "basdzsdas.com", "url.extension": "bin", "url.original": "basdzsdas.com/poker/config.bin", - "url.path": "/poker/config.bin" + "url.path": "/poker/config.bin", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:51:29.000-02:00", @@ -5649,7 +5702,8 @@ "url.domain": "softsellfast.com", "url.extension": "bin", "url.original": "softsellfast.com/test/config.bin", - "url.path": "/test/config.bin" + "url.path": "/test/config.bin", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:45:17.000-02:00", @@ -5930,7 +5984,8 @@ "url.domain": "boialex.narod.ru", "url.extension": "txt", "url.original": "boialex.narod.ru/config.txt", - "url.path": "/config.txt" + "url.path": "/config.txt", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:42:42.000-02:00", @@ -6026,7 +6081,8 @@ "url.domain": "edw-melon.narod.ru", "url.extension": "txt", "url.original": "edw-melon.narod.ru/config.txt", - "url.path": "/config.txt" + "url.path": "/config.txt", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:42:51.000-02:00", @@ -6122,7 +6178,8 @@ "url.domain": "maximtushin.narod.ru", "url.extension": "txt", "url.original": "maximtushin.narod.ru/config.txt", - "url.path": "/config.txt" + "url.path": "/config.txt", + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:19:59.000-02:00", @@ -6315,7 +6372,8 @@ "url.domain": "marketingsoluchion.biz", "url.extension": "bin", "url.original": "marketingsoluchion.biz/fkn/config.bin", - "url.path": "/fkn/config.bin" + "url.path": "/fkn/config.bin", + "user.name": "crusher" }, { "@timestamp": "2012-04-09T08:18:27.000-02:00", @@ -6409,7 +6467,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "jordy" }, { "@timestamp": "2012-04-09T08:18:29.000-02:00", @@ -6691,7 +6750,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "jordy" }, { "@timestamp": "2012-04-09T08:18:37.000-02:00", @@ -6872,7 +6932,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "picard" }, { "@timestamp": "2012-04-09T08:58:18.000-02:00", @@ -7507,7 +7568,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "picard" }, { "@timestamp": "2012-04-09T07:25:04.000-02:00", @@ -8692,7 +8754,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "picard" }, { "@timestamp": "2012-04-09T06:54:35.000-02:00", @@ -8963,7 +9026,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "jordy" }, { "@timestamp": "2012-04-09T03:45:45.000-02:00", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index c90c76236b3..1bed519a0b1 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -98,7 +98,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -196,7 +197,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -294,7 +296,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -395,7 +398,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -496,7 +500,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -594,7 +599,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -692,7 +698,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -793,7 +800,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -894,7 +902,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -995,7 +1004,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1096,7 +1106,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1197,7 +1208,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1298,7 +1310,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1399,7 +1412,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1500,7 +1514,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1601,7 +1616,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -1702,7 +1718,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -1803,7 +1820,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -1904,7 +1922,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2002,7 +2021,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2100,7 +2120,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2201,7 +2222,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2299,7 +2321,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2400,7 +2423,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2501,7 +2525,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2602,7 +2627,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2700,7 +2726,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2798,7 +2825,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2899,7 +2927,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -3000,7 +3029,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -3098,7 +3128,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -3199,7 +3230,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3300,7 +3332,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3398,7 +3431,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3496,7 +3530,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3597,7 +3632,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3698,7 +3734,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3796,7 +3833,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3894,7 +3932,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -4084,7 +4123,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -4280,7 +4320,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -4381,7 +4422,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -4574,7 +4616,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4672,7 +4715,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4773,7 +4817,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4871,7 +4916,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4969,7 +5015,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5067,7 +5114,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5165,7 +5213,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5263,7 +5312,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5364,7 +5414,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5465,7 +5516,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5563,7 +5615,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5664,7 +5717,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5762,7 +5816,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5860,7 +5915,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5961,7 +6017,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6062,7 +6119,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6160,7 +6218,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6258,7 +6317,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6356,7 +6416,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6454,7 +6515,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -6552,7 +6614,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -6650,7 +6713,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -6751,7 +6815,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -6849,7 +6914,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -6950,7 +7016,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7048,7 +7115,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7146,7 +7214,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7247,7 +7316,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7345,7 +7415,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7443,7 +7514,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7541,7 +7613,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7642,7 +7715,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7733,7 +7807,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7834,7 +7909,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7935,7 +8011,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -8026,7 +8103,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -8117,7 +8195,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8218,7 +8297,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8316,7 +8396,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8414,7 +8495,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8515,7 +8597,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8613,7 +8696,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8704,7 +8788,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8802,7 +8887,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -8903,7 +8989,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -9001,7 +9088,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -9099,7 +9187,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -9197,7 +9286,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -9298,7 +9388,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9399,7 +9490,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9500,7 +9592,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9591,7 +9684,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9692,7 +9786,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9793,7 +9888,8 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" }, { "@timestamp": "2012-04-10T04:39:46.000-02:00", @@ -9894,6 +9990,7 @@ "tags": [ "pan-os", "forwarded" - ] + ], + "user.name": "crusher" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log b/x-pack/filebeat/module/panw/panos/test/userid.log new file mode 100644 index 00000000000..aaba9e04584 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/test/userid.log @@ -0,0 +1,13 @@ +1,2021/03/24 11:00:49,013101001305,USERID,login,2305,2021/03/24 11:00:49,vsys1,10.50.35.36,domain\john.smith,,0,1,10800,0,0,,,1252774,0x0,0,0,0,0,,FW01,1,,2021/03/24 11:00:49,1,0x80000000,john.smith +1,2021/03/24 10:59:45,013101001305,USERID,logout,2305,2021/03/24 10:59:45,vsys1,10.55.18.7,domain\john.smith,,0,1,0,0,0,,,1252765,0x0,0,0,0,0,,FW01,1,,2021/03/24 10:59:45,1,0x80000000,john.smith +1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,1,0x0 +1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,2,0x0 +1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,3,0x0 +1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,4,0x0 +1,2021/04/05 14:52:16,,USERID,login,2305,2021/04/05 14:52:16,vsys1,10.68.2.9,domain\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277996,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:16,1,0x80000000,admin +1,2021/04/05 14:52:33,,USERID,logout,2305,2021/04/05 14:52:33,vsys1,10.68.2.9,domain\admin,,0,1,0,0,0,vpn-client,globalprotect,1277997,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:34,1,0x80000000,admin +1,2021/04/05 14:53:10,,USERID,login,2305,2021/04/05 14:53:10,vsys1,10.68.2.9,subdomain\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277998,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:11,1,0x80000000,admin +1,2021/04/05 14:53:31,,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1277999,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,admin +1,2021/04/05 14:53:31,,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,user,,0,1,10800,0,0,vpn-client,globalprotect,1278000,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,user +1,2021/04/05 14:53:49,,USERID,login,2305,2021/04/05 14:53:49,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1278001,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:49,1,0x80000000,admin +1,2021/04/05 14:53:52,,USERID,logout,2305,2021/04/05 14:53:52,vsys1,10.68.2.9,domain\admin,,0,1,0,0,0,vpn-client,globalprotect,1278002,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:52,1,0x80000000,admin diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json new file mode 100644 index 00000000000..0e263afea5f --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json @@ -0,0 +1,754 @@ +[ + { + "@timestamp": "2021-03-24T11:00:49.000-02:00", + "client.ip": "10.50.35.36", + "client.port": 0, + "client.user.name": "john.smith", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 0, + "log.original": "1,2021/03/24 11:00:49,013101001305,USERID,login,2305,2021/03/24 11:00:49,vsys1,10.50.35.36,domain\\john.smith,,0,1,10800,0,0,,,1252774,0x0,0,0,0,0,,FW01,1,,2021/03/24 11:00:49,1,0x80000000,john.smith", + "network.type": "ipv4", + "observer.hostname": "FW01", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "", + "panw.panos.datasourcetype": "", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-03-24T11:00:49.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1252774, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "FW01" + ], + "related.ip": [ + "10.50.35.36" + ], + "related.user": [ + "john.smith" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.50.35.36", + "source.ip": "10.50.35.36", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "john.smith", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "domain", + "user.name": "john.smith" + }, + { + "@timestamp": "2021-03-24T10:59:45.000-02:00", + "client.ip": "10.55.18.7", + "client.port": 0, + "client.user.name": "john.smith", + "destination.port": 0, + "event.action": "logout", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 240, + "log.original": "1,2021/03/24 10:59:45,013101001305,USERID,logout,2305,2021/03/24 10:59:45,vsys1,10.55.18.7,domain\\john.smith,,0,1,0,0,0,,,1252765,0x0,0,0,0,0,,FW01,1,,2021/03/24 10:59:45,1,0x80000000,john.smith", + "network.type": "ipv4", + "observer.hostname": "FW01", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "", + "panw.panos.datasourcetype": "", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-03-24T10:59:45.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1252765, + "panw.panos.sub_type": "logout", + "panw.panos.timeout": 0, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "FW01" + ], + "related.ip": [ + "10.55.18.7" + ], + "related.user": [ + "john.smith" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.55.18.7", + "source.ip": "10.55.18.7", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "john.smith", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "domain", + "user.name": "john.smith" + }, + { + "@timestamp": "2013-03-28T12:53:05.000-02:00", + "client.ip": "172.17.128.92", + "client.port": 0, + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 476, + "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,1,0x0", + "network.type": "ipv4", + "observer.product": "PAN-OS", + "observer.serial_number": "001701000225", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "active-directory", + "panw.panos.datasourcename": "test", + "panw.panos.datasourcetype": "unknown", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 2700, + "panw.panos.type": "USERID", + "panw.panos.virtual_sys": "vsys1", + "related.ip": [ + "172.17.128.92" + ], + "related.user": [ + "administrator" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "172.17.128.92", + "source.ip": "172.17.128.92", + "source.port": 0, + "source.user.domain": "plano2008r2", + "source.user.name": "administrator", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "plano2008r2", + "user.name": "administrator" + }, + { + "@timestamp": "2013-03-28T12:53:05.000-02:00", + "client.ip": "172.17.128.92", + "client.port": 0, + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 642, + "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,2,0x0", + "network.type": "ipv4", + "observer.product": "PAN-OS", + "observer.serial_number": "001701000225", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "active-directory", + "panw.panos.datasourcename": "test", + "panw.panos.datasourcetype": "unknown", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 2, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 2700, + "panw.panos.type": "USERID", + "panw.panos.virtual_sys": "vsys1", + "related.ip": [ + "172.17.128.92" + ], + "related.user": [ + "administrator" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "172.17.128.92", + "source.ip": "172.17.128.92", + "source.port": 0, + "source.user.domain": "plano2008r2", + "source.user.name": "administrator", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "plano2008r2", + "user.name": "administrator" + }, + { + "@timestamp": "2013-03-28T12:53:05.000-02:00", + "client.ip": "172.17.128.92", + "client.port": 0, + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 808, + "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,3,0x0", + "network.type": "ipv4", + "observer.product": "PAN-OS", + "observer.serial_number": "001701000225", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "active-directory", + "panw.panos.datasourcename": "test", + "panw.panos.datasourcetype": "unknown", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 3, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 2700, + "panw.panos.type": "USERID", + "panw.panos.virtual_sys": "vsys1", + "related.ip": [ + "172.17.128.92" + ], + "related.user": [ + "administrator" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "172.17.128.92", + "source.ip": "172.17.128.92", + "source.port": 0, + "source.user.domain": "plano2008r2", + "source.user.name": "administrator", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "plano2008r2", + "user.name": "administrator" + }, + { + "@timestamp": "2013-03-28T12:53:05.000-02:00", + "client.ip": "172.17.128.92", + "client.port": 0, + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 974, + "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,4,0x0", + "network.type": "ipv4", + "observer.product": "PAN-OS", + "observer.serial_number": "001701000225", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "active-directory", + "panw.panos.datasourcename": "test", + "panw.panos.datasourcetype": "unknown", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 4, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 2700, + "panw.panos.type": "USERID", + "panw.panos.virtual_sys": "vsys1", + "related.ip": [ + "172.17.128.92" + ], + "related.user": [ + "administrator" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "172.17.128.92", + "source.ip": "172.17.128.92", + "source.port": 0, + "source.user.domain": "plano2008r2", + "source.user.name": "administrator", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "plano2008r2", + "user.name": "administrator" + }, + { + "@timestamp": "2021-04-05T14:52:16.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1140, + "log.original": "1,2021/04/05 14:52:16,,USERID,login,2305,2021/04/05 14:52:16,vsys1,10.68.2.9,domain\\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277996,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:16,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:52:16.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1277996, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "admin", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "domain", + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:52:33.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "logout", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1356, + "log.original": "1,2021/04/05 14:52:33,,USERID,logout,2305,2021/04/05 14:52:33,vsys1,10.68.2.9,domain\\admin,,0,1,0,0,0,vpn-client,globalprotect,1277997,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:34,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:52:34.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1277997, + "panw.panos.sub_type": "logout", + "panw.panos.timeout": 0, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "admin", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "domain", + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:53:10.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1569, + "log.original": "1,2021/04/05 14:53:10,,USERID,login,2305,2021/04/05 14:53:10,vsys1,10.68.2.9,subdomain\\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277998,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:11,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:11.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1277998, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.domain": "subdomain", + "source.user.name": "admin", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "subdomain", + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:53:31.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1788, + "log.original": "1,2021/04/05 14:53:31,,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1277999,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:31.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1277999, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.name": "admin", + "tags": [ + "pan-os", + "forwarded" + ], + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:53:31.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "user", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1997, + "log.original": "1,2021/04/05 14:53:31,,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,user,,0,1,10800,0,0,vpn-client,globalprotect,1278000,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,user", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:31.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1278000, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "user" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.name": "user", + "tags": [ + "pan-os", + "forwarded" + ], + "user.name": "user" + }, + { + "@timestamp": "2021-04-05T14:53:49.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 2204, + "log.original": "1,2021/04/05 14:53:49,,USERID,login,2305,2021/04/05 14:53:49,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1278001,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:49,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:49.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1278001, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.name": "admin", + "tags": [ + "pan-os", + "forwarded" + ], + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:53:52.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "logout", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 2413, + "log.original": "1,2021/04/05 14:53:52,,USERID,logout,2305,2021/04/05 14:53:52,vsys1,10.68.2.9,domain\\admin,,0,1,0,0,0,vpn-client,globalprotect,1278002,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:52,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:52.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1278002, + "panw.panos.sub_type": "logout", + "panw.panos.timeout": 0, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "admin", + "tags": [ + "pan-os", + "forwarded" + ], + "user.domain": "domain", + "user.name": "admin" + } +] \ No newline at end of file