From f10b0ffe1071288ec392407e039636957f4365cd Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Sun, 4 Apr 2021 23:55:52 +0000 Subject: [PATCH] #24724: Add Global Protect logs --- x-pack/filebeat/module/panw/fields.go | 2 +- .../module/panw/panos/_meta/fields.yml | 67 + .../module/panw/panos/config/input.yml | 90 +- .../panw/panos/ingest/globalprotect.yml | 37 + .../module/panw/panos/ingest/pipeline.yml | 1132 ++++++++--------- .../module/panw/panos/ingest/threat.yml | 49 + .../module/panw/panos/ingest/traffic.yml | 87 ++ .../filebeat/module/panw/panos/manifest.yml | 6 +- .../module/panw/panos/test/global_protect.log | 2 + .../test/global_protect.log-expected.json | 113 ++ .../test/pan_inc_threat.log-expected.json | 104 +- .../panw/panos/test/threat.log-expected.json | 152 +-- 12 files changed, 1095 insertions(+), 746 deletions(-) create mode 100644 x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml create mode 100644 x-pack/filebeat/module/panw/panos/ingest/threat.yml create mode 100644 x-pack/filebeat/module/panw/panos/ingest/traffic.yml create mode 100644 x-pack/filebeat/module/panw/panos/test/global_protect.log create mode 100644 x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go index 1990a4b7403..eae833bfa26 100644 --- a/x-pack/filebeat/module/panw/fields.go +++ b/x-pack/filebeat/module/panw/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPanw returns asset data. // This is the base64 encoded gzipped contents of module/panw. func AssetPanw() string { - return "eJzMmM9u4zYQxu95irm5BeLcesmhQNpFgABpamw27TGgqZHEmiK1w2Fc7dMvSEu21qYsxc4G0c2Sye83fz6S0hxW2FxDLcz6AoAVa9z+ytBJUjUra67h9wsAgL9s5jVCbgkWQlu40WzhAXltaeXgl8XNw/zvx18vAHKFOnPXcdAcjKh204aLmxqvoSDr6/ZOQixct3EeyMlWwCXGOaCKFFftn/pSsKdn3e52SvWY9A/6lqJ8IuhNzKBt4a76Yw+wemTkNTrkH6VavBU2a0vZ3rNjjADwICoEm0fGMDlwKRgqwbLEDLhUDhw6p6y5SgI560likucgXeM0bdLYAv7PaLKIxbaea3xB3YqBXf6Hkq/2RqfS1if9Zs0+51juJhCH63GDFQTaeg9lrc+jDCPl4iB5bwu1VXkFmRH7DQZHizqRaGEdzx9uvnRlFFlG6NwlqLy7FZ4qBzVSbqnC7JBxuM69zKYAuwAGHk7gP4zgbpEC3K4illJ57EC0NcXboQSxHUzSqhk6VkaEed/Jrz3FD2faTz22j+XcPtlHtG+/qn0P9++fZ+RRK4+YeaKHBmJKu3qCr0edfR7XBIujyQiFGzD4SQeEL+FgEOcE0fUeMFIVsPqFTQKZzWHnndabVu3EtaaWon5WKdO+gakXQq6QQYqaPSHcfYqGFsAloRgqK5zp6ikOk7aqvFHcpEOfEv7EFITrz04tZkDb9bwUrtyekkPL/zZnX+8O6QONlSv9XqfOIHViS4XgTuuXP5QR1MA2O12nbGgcGg68SwRhhG6+YbouyybG8q/S2a2iMI5elMTU+pYucjL3nvQ7pd6TPjHzUjAWlpqf4+bb2K+xHk+f78P2xzMX2Z8+32+109tIGNsV5DKOeUHKlGQIC2uJmwoLk4FyyQlQcYkEs0poJZX1bnYJs4JEsxaEs0uwBLMlGlWY2ZiJtF0f2v6MzeIuHFeM0GB8haQkqAwNq1whxS5GIcvDA0z6xRK/ejQSn42vlkhJxsRGOwJ4bwtAw9T0yeIrr3KgjCSs0DBmrTwroXWijk9GffW4C0nbIiKNxNQu9oRH3ppPynvoOkubzglSUzaXPai3bIPEx469Rog2fwVd+PFT+bZZS5H1gYQcfIGawjI/gLmJEwKLFZotwdFvLkHtlSKPNcqQ/c0iFSboPvpoW6T955fPZws5vxwUS6q+KGIv9LNr9te+M8r9z2ZScI1jrEAZx8JIvPgeAAD//2MhKUk=" + return "eJzMmcFu4zYTx+/7FAPswd8HxLn1kkMBt8EWAdKssdm0R2NMjiU2FKklR/ZqT32Nvl6fpCBl2YpNW4rjBPFhN5Eizo8z858Z0WN4pPoKSjSrDwCsWNPmN0leOFWysuYKfv4AAPC7lZUmWFgHU9QWJpot3BGvrHv08L/p5G78+f7/HwAWirT0V/GhMRgstsuGD9clXUHmbFWurySMhc+nuA4snC2Ac4prQBEpLtd/1DUFO/as315OWT1m+ol966L5xKabPYO2mb/sPruH1SFzlSZP/NTUGu+R6pV1cufeMUYAuMOCwC4iY1gcOEeGAlnkJIFz5cGT98qayySQt5UTlOTZc1c/zdppbIG+MxkZsdiWY01L0mtjYOd/keDLnadTbuuS/rBml7PPdwOIw+e+wQoG1vE+5LUujzJMboF7zjsv1MbKM8gM7iYYHA3qQKKp9Ty+m3xtw4hSOvL+AtSivRTuKg8luYV1Bcl9xsNx7ng2Bdhu4MDNAfz7O7iZpgA3VcS6lB9bEG1Ndj6UYGwLk5SqJM/KYFj3jfTasfjuRHvdYXtfyu2SvUf5dqPa1XD3+suE3CvlHjEP1NCBPaVVPUDXvcp+GdcAiZORjtAfEPhJA8LXMBjENQHb3AMmVwSsbmCTQKYZdt6o3qytnVhrSoHlTKVEewZRT1E8EoPAkitHcHMdBY3AuSM8FFZ4oaqHKEzYoqiM4jq99SHbH+iC8Pm1tRY9oO1qnKPPN1NySPmfxlyV2yH9QGItlH6rqTOYOjGlwuZOy5dflEFXw8Y7baY0NJ4MB945ARrU9Q9Kx2Vex738qbT8pFx4zi2VoFR9Swc56fvK6TdyfeX0iZ4XyJRZV7+Omj/FfI3xePhyG9ofj3xkf/hyu7GdbiPh2TYgF/GZJTmpBEMorDk1EUYjQfnkAqQ4JwejArUSylZ+dAGjzGG9QkejC7AORnMyKjOjPhFpu9qX/QuaxU0YVwxqMFVBTglQkgyrhSIXs5hQ5PsDTPrFkr5VZATNTFXMySUZE422B/DWZkCGXd0li6+8yoMywlFBhkmuzbNCrRNxfDDqW0XbLWmbRaSePa2LvaMjb80n+T1knXVN5gRTQ5rLDtQ50yBx2LGTCFHmz6ALv7wq38ZrKbIuEIqDL1BDWMZ7MJO4IDA+ktkQHD1zCdaeaeS+JBG83xSpsEB76KNtltZfNZ+92JCv5geNJa0uleMK9czXu7XvBeH+o1kUfO2ZClDGM5qO/J488HE7TC9Dysqdu8dIPh5n+Rj/nYBnp0wGPrer8H9wjOkcw0W7B2SxpcutfwW4MO1XTXG7uW4K42/azlFPnWUSDOi9ykzs2GtJNyNGwOllLlDkytCemM8E3nVi5cn9+/c/vrXZU2aEVmR4Zv1seaDXnPzy1CwNksLkFZE+34eWP6AHbqjeG9ErOSmy7ORbWQ5E84zZc3oEfcei1HQFc1pYR2NtM7Vb13vIk1KOHG0aCmsMPe0YR7rKQmN2xlhPYK64mZRBGakEcoBUm1oMK4zfUKzQSZJB01M01mGBfecMztkzZkDCj8iNkebHHD1YISrnKGwF0NRHy+QTzpmwMp0YyjBle6ncB2va50IxtEJhmBdXivMGK5j0DXaL3EPpqCRkYdJf65wEGcthHJxDJq6nCd9QxiQNpXJzir09xnt6Dra9jmWpY/5YcxHfTXw1j4090SJCsCSFH9d+Uc17jUYfsnEZphthjfSX53elJ6dQH3tnOLlENUt3vJpqM2EKb+pqDyhWnM8K4tw+Z+7e1Kzb68n0DLUqUIQm3kS2GSz/CwAA///rDZqq" } diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml index 4fa1094f56f..60a339b63be 100644 --- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml +++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml @@ -147,3 +147,70 @@ type: keyword description: > Virtual system instance + + # - name: eventid + # type: keyword + # description: > + # A string showing the name of the event. + + # - name: hostid + # type: keyword + # description: > + # The unique ID that GlobalProtect assigns to identify the host. + + # - name: machinename + # type: keyword + # description: > + # The name of the user’s machine. + + - name: client_os_ver + type: keyword + description: > + The client device’s OS version. + + - name: client_os + type: keyword + description: > + The client device’s OS version. + + - name: client_ver + type: keyword + description: > + The client’s GlobalProtect app version. + + - name: stage + type: keyword + example: before-login + description: > + A string showing the stage of the connection + + - name: actionflags + type: keyword + description: > + A bit field indicating if the log was forwarded to Panorama. + + - name: error + type: keyword + description: > + A string showing that error that has occurred in any event. + + - name: error_code + type: integer + description: > + An integer associated with any errors that occurred. + + - name: repeatcnt + type: integer + description: > + The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred. + + - name: serial_number + type: keyword + description: > + The serial number of the user’s machine or device. + + - name: auth_method + type: keyword + example: LDAP + description: > + A string showing the authentication type diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index f56e2ecba39..b5ef682cbb4 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -172,6 +172,87 @@ processors: destination.user.email: 52 observer.hostname: 59 + - extract_array: + when: + equals: + panw.panos.type: GLOBALPROTECT + field: csv + omit_empty: true + overwrite_keys: true + fail_on_error: false + mappings: + panw.panos.virtual_sys: 7 + event.code: 8 + panw.panos.stage: 9 + panw.panos.auth_method: 10 + panw.panos.tunnel_type: 11 + _temp_.srcuser: 12 + _temp_.srcloc: 13 + host.name: 14 + source.nat.ip: 15 + client.nat.ip: 15 + _temp_.public_ipv6: 16 + host.ip: 17 + source.ip: 17 + client.ip: 17 + source.address: 17 + client.address: 17 + _temp_.private_ipv6: 18 + host.id: 19 + panw.panos.serial_number: 20 + panw.panos.client_ver: 21 + panw.panos.client_os: 22 + panw.panos.client_os_ver: 23 + panw.panos.repeatcnt: 24 + event.reason: 25 + panw.panos.error: 26 + panw.panos.description: 27 + event.outcome: 28 + observer.geo.name: 29 + event.duration: 30 + panw.panos.connect_method: 31 + panw.panos.error_code: 32 + observer.hostname: 33 + panw.panos.sequence_number: 34 + panw.panos.actionflags: 35 + + - extract_array: + when: + equals: + panw.panos.type: USERID + field: csv + omit_empty: true + overwrite_keys: true + fail_on_error: false + mappings: + panw.panos.virtual_sys: 7 + client.ip: 8 + source.ip: 8 + source.address: 8 + _temp_.srcuser: 9 + panw.panos.datasourcename: 10 + panw.panos.eventid: 11 + panw.panos.repeatcnt: 12 + panw.panos.timeout: 13 + source.port: 14 + client.port: 14 + destination.port: 15 + server.port: 15 + panw.panos.datasource: 16 + panw.panos.datasourcetype: 17 + panw.panos.sequence_number: 18 + panw.panos.actionflags: 19 + panw.panos.dg_hier: 20 + panw.panos.vsys_name: 21 + observer.hostname: 22 + panw.panos.vsys_id: 23 + panw.panos.factortype: 24 + panw.panos.factorcompletiontime: 25 + panw.panos.factorno: 26 + panw.panos.ugflags: 27 + source.user.name: 28 + client.user.name: 28 + - drop_fields: fields: - csv @@ -190,15 +271,6 @@ processors: internal_zones: {{ .internal_zones | tojson }} {{ end }} - - community_id: ~ - - - community_id: - target: panw.panos.network.nat.community_id - fields: - source_ip: source.nat.ip - source_port: source.nat.port - destination_ip: destination.nat.ip - destination_port: destination.nat.port # Copy NAT data from ECS fields to the original non-ECS fields to retain # backward compatibility. This should be removed for 8.0. diff --git a/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml b/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml new file mode 100644 index 00000000000..713be3ba954 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml @@ -0,0 +1,37 @@ +--- +description: Pipeline for PanOS Global Protect Logs +processors: + - set: + field: source.ip + value: "{{_temp_.private_ipv6}}" + if: ctx?._temp_?.private_ipv6 != "" && ctx?._temp_?.private_ipv6 != "0.0.0.0" + - set: + field: source.nat.ip + value: "{{_temp_.public_ipv6}}" + if: ctx?._temp_?.public_ipv6 != "" && ctx?._temp_?.public_ipv6 != "0.0.0.0" + - grok: + field: _temp_.srcuser + ignore_missing: true + ignore_failure: true + patterns: + - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}' + - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}' + - '%{USERNAME:source.user.name}' + if: ctx?._temp_?.srcuser != null + - set: + field: network.type + value: 'ipv4' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")' + - set: + field: network.type + value: 'ipv6' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")' + +on_failure: + - append: + field: error.message + value: >- + error in Global Protect pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 6fdd0cac2ef..685fff2a669 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -1,624 +1,542 @@ description: "Pipeline for Palo Alto Networks PAN-OS Logs" processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' -# keep message as log.original. - - rename: - field: message - target_field: log.original + # keep message as log.original. + - rename: + field: message + target_field: log.original # Get the timezone from the IETF header if present. Otherwise the timezone # value added by the add_locale processor will be used. - - grok: - field: _temp_.ietf_header - patterns: - - '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' - ignore_failure: true - -# Set @timestamp to the time when the entry was generated at the data plane. - - date: - if: "ctx.event.timezone == null" - field: "_temp_.generated_time" - formats: - - "yyyy/MM/dd HH:mm:ss" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - - date: - if: "ctx.event.timezone != null" - field: "_temp_.generated_time" - formats: - - "yyyy/MM/dd HH:mm:ss" - timezone: "{{ event.timezone }}" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# event.created is the time the event was received at the management plane. - - date: - if: "ctx.event.timezone == null && ctx.event.created != null " - field: "event.created" - target_field: "event.created" - formats: - - "yyyy/MM/dd HH:mm:ss" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - - date: - if: "ctx.event.timezone != null && ctx.event.created != null " - field: "event.created" - target_field: "event.created" - formats: - - "yyyy/MM/dd HH:mm:ss" - timezone: "{{ event.timezone }}" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# event.start (traffic only) is the time the session started. - - date: - if: "ctx.event.timezone == null && ctx.event.start != null" - field: "event.start" - target_field: "event.start" - formats: - - "yyyy/MM/dd HH:mm:ss" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - - date: - if: "ctx.event.timezone != null && ctx.event.start != null" - field: "event.start" - target_field: "event.start" - timezone: "{{ event.timezone }}" - formats: - - "yyyy/MM/dd HH:mm:ss" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# convert integer fields as the output of the CSV processor is always a string. - - convert: { type: long, ignore_missing: true, field: client.bytes } - - convert: { type: long, ignore_missing: true, field: client.packets } - - convert: { type: long, ignore_missing: true, field: client.port } - - convert: { type: long, ignore_missing: true, field: server.bytes } - - convert: { type: long, ignore_missing: true, field: server.packets } - - convert: { type: long, ignore_missing: true, field: server.port } - - convert: { type: long, ignore_missing: true, field: source.bytes } - - convert: { type: long, ignore_missing: true, field: source.packets } - - convert: { type: long, ignore_missing: true, field: source.port } - - convert: { type: long, ignore_missing: true, field: destination.bytes } - - convert: { type: long, ignore_missing: true, field: destination.packets } - - convert: { type: long, ignore_missing: true, field: destination.port } - - convert: { type: long, ignore_missing: true, field: network.bytes } - - convert: { type: long, ignore_missing: true, field: network.packets } - - convert: { type: long, ignore_missing: true, field: event.duration } - - convert: { type: long, ignore_missing: true, field: _temp_.labels } - - convert: { type: long, ignore_missing: true, field: panw.panos.sequence_number } - - convert: { type: long, ignore_missing: true, field: source.nat.port } - - convert: { type: long, ignore_missing: true, field: destination.nat.port } - - convert: { type: long, ignore_missing: true, field: client.nat.port } - - convert: { type: long, ignore_missing: true, field: server.nat.port } - -# Remove PCAP ID when zero (no packet capture). - - remove: - if: 'ctx?.panw?.panos?.network?.pcap_id == "0"' - field: - - panw.panos.network.pcap_id - -# Extract 'flags' bitfield into labels. - - script: - lang: painless - if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0' - params: - pcap_included: 0x80000000 - ipv6_session: 0x02000000 - ssl_decrypted: 0x01000000 - url_filter_denied: 0x00800000 - nat_translated: 0x00400000 - captive_portal: 0x00200000 - x_forwarded_for: 0x00080000 - http_proxy: 0x00040000 - container_page: 0x00008000 - temporary_match: 0x00002000 - symmetric_return: 0x00000800 - source: > - def labels = ctx?.labels; - if (labels == null) { + - grok: + field: _temp_.ietf_header + patterns: + - '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' + ignore_failure: true + + # Set @timestamp to the time when the entry was generated at the data plane. + - date: + if: "ctx.event.timezone == null" + field: "_temp_.generated_time" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx.event.timezone != null" + field: "_temp_.generated_time" + formats: + - "yyyy/MM/dd HH:mm:ss" + timezone: "{{ event.timezone }}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + + # event.created is the time the event was received at the management plane. + - date: + if: "ctx.event.timezone == null && ctx.event.created != null " + field: "event.created" + target_field: "event.created" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx.event.timezone != null && ctx.event.created != null " + field: "event.created" + target_field: "event.created" + formats: + - "yyyy/MM/dd HH:mm:ss" + timezone: "{{ event.timezone }}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + + # event.start (traffic only) is the time the session started. + - date: + if: "ctx.event.timezone == null && ctx.event.start != null" + field: "event.start" + target_field: "event.start" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx.event.timezone != null && ctx.event.start != null" + field: "event.start" + target_field: "event.start" + timezone: "{{ event.timezone }}" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + + # convert integer fields as the output of the CSV processor is always a string. + - convert: { type: long, ignore_missing: true, field: client.bytes } + - convert: { type: long, ignore_missing: true, field: client.packets } + - convert: { type: long, ignore_missing: true, field: client.port } + - convert: { type: long, ignore_missing: true, field: server.bytes } + - convert: { type: long, ignore_missing: true, field: server.packets } + - convert: { type: long, ignore_missing: true, field: server.port } + - convert: { type: long, ignore_missing: true, field: source.bytes } + - convert: { type: long, ignore_missing: true, field: source.packets } + - convert: { type: long, ignore_missing: true, field: source.port } + - convert: { type: long, ignore_missing: true, field: destination.bytes } + - convert: { type: long, ignore_missing: true, field: destination.packets } + - convert: { type: long, ignore_missing: true, field: destination.port } + - convert: { type: long, ignore_missing: true, field: network.bytes } + - convert: { type: long, ignore_missing: true, field: network.packets } + - convert: { type: long, ignore_missing: true, field: event.duration } + - convert: { type: long, ignore_missing: true, field: _temp_.labels } + - convert: { type: long, ignore_missing: true, field: panw.panos.sequence_number } + - convert: { type: long, ignore_missing: true, field: source.nat.port } + - convert: { type: long, ignore_missing: true, field: destination.nat.port } + - convert: { type: long, ignore_missing: true, field: client.nat.port } + - convert: { type: long, ignore_missing: true, field: server.nat.port } + + - community_id: + ignore_missing: true + + - community_id: + target_field: panw.panos.network.nat.community_id + ignore_missing: true + ignore_failure: true + source_ip: source.nat.ip + source_port: source.nat.port + destination_ip: destination.nat.ip + destination_port: destination.nat.port + + # Remove PCAP ID when zero (no packet capture). + - remove: + if: 'ctx?.panw?.panos?.network?.pcap_id == "0"' + field: + - panw.panos.network.pcap_id + + # Extract 'flags' bitfield into labels. + - script: + lang: painless + if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0' + params: + pcap_included: 0x80000000 + ipv6_session: 0x02000000 + ssl_decrypted: 0x01000000 + url_filter_denied: 0x00800000 + nat_translated: 0x00400000 + captive_portal: 0x00200000 + x_forwarded_for: 0x00080000 + http_proxy: 0x00040000 + container_page: 0x00008000 + temporary_match: 0x00002000 + symmetric_return: 0x00000800 + source: > + def labels = ctx?.labels; + if (labels == null) { labels = new HashMap(); ctx['labels'] = labels; - } - long value = ctx._temp_.labels; - for (entry in params.entrySet()) { + } + long value = ctx._temp_.labels; + for (entry in params.entrySet()) { if ((value & entry.getValue()) != 0) { labels[entry.getKey()] = true; } - } - -# normalize event.duration and determine event.end. - - script: - lang: painless - if: 'ctx?.event?.duration != null' - params: - NANOS_IN_A_SECOND: 1000000000 - source: > - long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND; - ctx['event']['duration'] = nanos; - def start = ctx.event?.start; - if (start != null) { + } + + # normalize event.duration and determine event.end. + - script: + lang: painless + if: 'ctx?.event?.duration != null' + params: + NANOS_IN_A_SECOND: 1000000000 + source: > + long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND; + ctx['event']['duration'] = nanos; + def start = ctx.event?.start; + if (start != null) { ctx.event['end'] = ZonedDateTime.parse(start).plusNanos(nanos); - } - -# Set network.direction using src/dst zone (traffic logs). - - set: - field: network.direction - value: inbound - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - - set: - field: network.direction - value: outbound - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: internal - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: external - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.external_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: unknown - if: > - ctx?.panw?.panos?.type == "TRAFFIC" && - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ( - ( - !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && - !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone) - ) || - ( - !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && - !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone) - ) - ) -# Set network.direction from threat direction (Threat logs). - - set: - field: network.direction - value: inbound - if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")' - - - set: - field: network.direction - value: outbound - if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")' - - - set: - field: network.direction - value: unknown - if: 'ctx?.panw?.panos?.type == "THREAT" && ctx?.network?.direction == null' - -# Set network.type for TRAFFIC. - - set: - field: network.type - value: 'ipv4' - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session == null' - - set: - field: network.type - value: 'ipv6' - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session != null' - - # Set event.category depending on log type. - - set: - field: event.kind - value: event - if: 'ctx?.panw?.panos?.type == "TRAFFIC"' - - append: - field: event.category - allow_duplicates: false - value: - - network_traffic - - network - if: 'ctx?.panw?.panos?.type == "TRAFFIC"' - - set: - field: event.kind - value: alert - if: 'ctx?.panw?.panos?.type == "THREAT"' - - append: - field: event.category - allow_duplicates: false - value: - - security_threat - - intrusion_detection - - network - if: 'ctx?.panw?.panos?.type == "THREAT"' - - append: - field: event.type - allow_duplicates: false - value: allowed - if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)" - - append: - field: event.type - allow_duplicates: false - value: denied - if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)" - - set: - field: event.outcome - value: success - - -# event.action for traffic logs. - - set: - field: event.action - value: flow_started - if: 'ctx?.panw?.panos?.sub_type == "start"' - - append: - field: event.type - allow_duplicates: false - value: - - start - - connection - if: 'ctx?.panw?.panos?.sub_type == "start"' - - set: - field: event.action - value: flow_terminated - if: 'ctx?.panw?.panos?.sub_type == "end"' - - append: - field: event.type - allow_duplicates: false - value: - - end - - connection - if: 'ctx?.panw?.panos?.sub_type == "end"' - - set: - field: event.action - value: flow_dropped - if: 'ctx?.panw?.panos?.sub_type == "drop"' - - append: - field: event.type - allow_duplicates: false - value: - - denied - - connection - if: 'ctx?.panw?.panos?.sub_type == "drop"' - - set: - field: event.action - value: flow_denied - if: 'ctx?.panw?.panos?.sub_type == "deny"' - - append: - field: event.type - allow_duplicates: false - value: - - denied - - connection - if: 'ctx?.panw?.panos?.sub_type == "deny"' - -# event.action for threat logs. - - set: - field: event.action - value: data_match - if: 'ctx?.panw?.panos?.sub_type == "data"' - - set: - field: event.action - value: file_match - if: 'ctx?.panw?.panos?.sub_type == "file"' - - set: - field: event.action - value: flood_detected - if: 'ctx?.panw?.panos?.sub_type == "flood"' - - set: - field: event.action - value: packet_attack - if: 'ctx?.panw?.panos?.sub_type == "packet"' - - set: - field: event.action - value: scan_detected - if: 'ctx?.panw?.panos?.sub_type == "scan"' - - set: - field: event.action - value: spyware_detected - if: 'ctx?.panw?.panos?.sub_type == "spyware"' - - set: - field: event.action - value: url_filtering - if: 'ctx?.panw?.panos?.sub_type == "url"' - - set: - field: event.action - value: virus_detected - if: 'ctx?.panw?.panos?.sub_type == "virus"' - - set: - field: event.action - value: exploit_detected - if: 'ctx?.panw?.panos?.sub_type == "vulnerability"' - - set: - field: event.action - value: wildfire_verdict - if: 'ctx?.panw?.panos?.sub_type == "wildfire"' - - set: - field: event.action - value: wildfire_virus_detected - if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"' - - -# Set numeric log.level from event.severity. - - set: - field: "event.severity" - if: 'ctx.log.level == "critical"' - value: 1 - - set: - field: "event.severity" - if: 'ctx.log.level == "high"' - value: 2 - - set: - field: "event.severity" - if: 'ctx.log.level == "medium"' - value: 3 - - set: - field: "event.severity" - if: 'ctx.log.level == "low"' - value: 4 - - set: - field: "event.severity" - if: 'ctx.log.level == "informational"' - value: 5 - -# Normalize event.outcome. -# These values appear in the TRAFFIC docs but look like a mistake. - - set: - field: panw.panos.action - value: 'drop-icmp' - if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"' - - set: - field: panw.panos.action - value: 'reset-both' - if: 'ctx?.panw?.panos?.action == "reset both"' - - set: - field: panw.panos.action - value: 'reset-client' - if: 'ctx?.panw?.panos?.action == "reset client"' - - set: - field: panw.panos.action - value: 'reset-server' - if: 'ctx?.panw?.panos?.action == "reset server"' - -# Build related.ip array from src/dest/NAT IPs. - - append: - if: 'ctx?.source?.ip != null' - field: related.ip - allow_duplicates: false - value: - - '{{source.ip}}' - - append: - if: 'ctx?.destination?.ip != null' - field: related.ip - allow_duplicates: false - value: - - '{{destination.ip}}' - - append: - if: 'ctx?.source?.nat?.ip != null' - field: related.ip - allow_duplicates: false - value: - - '{{source.nat.ip}}' - - append: - if: 'ctx?.destination?.nat?.ip != null' - field: related.ip - allow_duplicates: false - value: - - '{{destination.nat.ip}}' - -# Geolocation for source. - - geoip: - if: 'ctx?.source?.ip != null' - field: source.ip - target_field: source.geo - -# Geolocation for destination. - - geoip: - if: 'ctx?.destination?.ip != null' - field: destination.ip - target_field: destination.geo - -# IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -# Set source|destination.geo.name from panw's srcloc|dstloc - - rename: - if: 'ctx.source?.geo?.name == null' - field: _temp_.srcloc - target_field: source.geo.name - ignore_missing: true - - rename: - if: 'ctx.destination?.geo?.name == null' - field: _temp_.dstloc - target_field: destination.geo.name - ignore_missing: true - -# Append NAT community_id to network.community_id - - append: - if: 'ctx?.panw?.panos?.network?.nat?.community_id != null' - field: network.community_id - allow_duplicates: false - value: + } + +## TRAFFIC + - pipeline: + if: ctx?.panw?.panos?.type == "TRAFFIC" + name: '{< IngestPipeline "traffic" >}' + +# ## THREAT + - pipeline: + if: ctx?.panw?.panos?.type == "THREAT" + name: '{< IngestPipeline "threat" >}' + +# ## GLOBAL PROTECT + - pipeline: + if: ctx?.panw?.panos?.type == "GLOBALPROTECT" + name: '{< IngestPipeline "globalprotect" >}' + + - append: + field: event.type + allow_duplicates: false + value: allowed + if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)" + - append: + field: event.type + allow_duplicates: false + value: denied + if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)" + - set: + field: event.outcome + value: failure + if: "ctx?.event?.type != null && ctx?.event?.type.contains('denied')" + - set: + field: event.outcome + value: success + if: ctx?.event?.outcome == null + + # event.action for traffic logs. + - set: + field: event.action + value: flow_started + if: 'ctx?.panw?.panos?.sub_type == "start"' + - append: + field: event.type + allow_duplicates: false + value: + - start + - connection + if: 'ctx?.panw?.panos?.sub_type == "start"' + - set: + field: event.action + value: flow_terminated + if: 'ctx?.panw?.panos?.sub_type == "end"' + - append: + field: event.type + allow_duplicates: false + value: + - end + - connection + if: 'ctx?.panw?.panos?.sub_type == "end"' + - set: + field: event.action + value: flow_dropped + if: 'ctx?.panw?.panos?.sub_type == "drop"' + - append: + field: event.type + allow_duplicates: false + value: + - denied + - connection + if: 'ctx?.panw?.panos?.sub_type == "drop"' + - set: + field: event.action + value: flow_denied + if: 'ctx?.panw?.panos?.sub_type == "deny"' + - append: + field: event.type + allow_duplicates: false + value: + - denied + - connection + if: 'ctx?.panw?.panos?.sub_type == "deny"' + + # event.action for threat logs. + - set: + field: event.action + value: data_match + if: 'ctx?.panw?.panos?.sub_type == "data"' + - set: + field: event.action + value: file_match + if: 'ctx?.panw?.panos?.sub_type == "file"' + - set: + field: event.action + value: flood_detected + if: 'ctx?.panw?.panos?.sub_type == "flood"' + - set: + field: event.action + value: packet_attack + if: 'ctx?.panw?.panos?.sub_type == "packet"' + - set: + field: event.action + value: scan_detected + if: 'ctx?.panw?.panos?.sub_type == "scan"' + - set: + field: event.action + value: spyware_detected + if: 'ctx?.panw?.panos?.sub_type == "spyware"' + - set: + field: event.action + value: url_filtering + if: 'ctx?.panw?.panos?.sub_type == "url"' + - set: + field: event.action + value: virus_detected + if: 'ctx?.panw?.panos?.sub_type == "virus"' + - set: + field: event.action + value: exploit_detected + if: 'ctx?.panw?.panos?.sub_type == "vulnerability"' + - set: + field: event.action + value: wildfire_verdict + if: 'ctx?.panw?.panos?.sub_type == "wildfire"' + - set: + field: event.action + value: wildfire_virus_detected + if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"' + + + # Set numeric log.level from event.severity. + - set: + field: "event.severity" + if: 'ctx?.log?.level == "critical"' + value: 1 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "high"' + value: 2 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "medium"' + value: 3 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "low"' + value: 4 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "informational"' + value: 5 + + # Normalize event.outcome. + # These values appear in the TRAFFIC docs but look like a mistake. + - lowercase: + field: panw.panos.action + ignore_missing: true + - gsub: + field: panw.panos.action + pattern: \s + replacement: "-" + ignore_missing: true + + # - set: + # field: panw.panos.action + # value: 'drop-icmp' + # if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"' + # - set: + # field: panw.panos.action + # value: 'reset-both' + # if: 'ctx?.panw?.panos?.action == "reset both"' + # - set: + # field: panw.panos.action + # value: 'reset-client' + # if: 'ctx?.panw?.panos?.action == "reset client"' + # - set: + # field: panw.panos.action + # value: 'reset-server' + # if: 'ctx?.panw?.panos?.action == "reset server"' + + # Build related.ip array from src/dest/NAT IPs. + - append: + if: 'ctx?.source?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{source.ip}}' + - append: + if: 'ctx?.destination?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{destination.ip}}' + - append: + if: 'ctx?.source?.nat?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{source.nat.ip}}' + - append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{destination.nat.ip}}' + + # Geolocation for source. + - geoip: + if: 'ctx?.source?.ip != null' + field: source.ip + target_field: source.geo + + # Geolocation for destination. + - geoip: + if: 'ctx?.destination?.ip != null' + field: destination.ip + target_field: destination.geo + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + # Set source|destination.geo.name from panw's srcloc|dstloc + - rename: + if: 'ctx.source?.geo?.name == null' + field: _temp_.srcloc + target_field: source.geo.name + ignore_missing: true + - rename: + if: 'ctx.destination?.geo?.name == null' + field: _temp_.dstloc + target_field: destination.geo.name + ignore_missing: true + + # Append NAT community_id to network.community_id + - append: + if: 'ctx?.panw?.panos?.network?.nat?.community_id != null' + field: network.community_id + allow_duplicates: false + value: - '{{panw.panos.network.nat.community_id}}' - - grok: - if: 'ctx?.panw?.panos?.threat?.name != null' - field: panw.panos.threat.name - ignore_failure: true - patterns: - - '%{GREEDYDATA:panw.panos.threat.name}\(\s*%{GREEDYDATA:panw.panos.threat.id}\s*\)' - - - set: - field: panw.panos.threat.name - value: 'URL-filtering' - if: 'ctx?.panw?.panos?.threat?.id == "9999"' - - - set: - field: rule.name - value: "{{panw.panos.ruleset}}" - ignore_empty_value: true - -# Set url and file values - - rename: - if: 'ctx?.panw?.panos?.sub_type != "url"' - field: url.original - target_field: file.name - ignore_missing: true - - - grok: - field: url.original - patterns: - - '(%{ANY:url.scheme}\:\/\/)?(%{USERNAME:url.username}(\:%{PASSWORD:url.password})?\@)?%{DOMAIN:url.domain}(\:%{POSINT:url.port})?(%{PATH:url.path})?(\?%{QUERY:url.query})?(\#%{ANY:url.fragment})?' - ignore_missing: true - pattern_definitions: - USERNAME: '[^\:]*' - PASSWORD: '[^@]*' - DOMAIN: '[^\/\?#\:]*' - PATH: '[^\?#]*' - QUERY: '[^#]*' - ANY: '.*' - if: 'ctx?.url?.original != null && ctx?.url?.original != "-/" && ctx?.url?.original != ""' - - - grok: - field: url.path - patterns: - - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:url.extension}))?' - ignore_missing: true - pattern_definitions: - FILENAME: '[^\.]+' - ANY: '.*' - if: 'ctx?.url?.path != null && ctx?.url?.path != ""' - - - grok: - field: file.name - patterns: - - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:file.extension}))?' - ignore_missing: true - pattern_definitions: - FILENAME: '[^\.]+' - ANY: '.*' - if: 'ctx?.file?.name != null && ctx?.file?.name != ""' - - - append: - field: related.user - allow_duplicates: false - value: "{{client.user.name}}" - if: "ctx?.client?.user?.name != null" - - - append: - field: related.user - allow_duplicates: false - value: "{{source.user.name}}" - if: "ctx?.source?.user?.name != null" - - - append: - field: related.user - allow_duplicates: false - value: "{{server.user.name}}" - if: "ctx?.server?.user?.name != null" - - - append: - field: related.user - allow_duplicates: false - value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" - - - append: - field: related.user - allow_duplicates: false - value: "{{url.username}}" - if: "ctx?.url?.username != null && ctx?.url?.username != ''" - allow_duplicates: false - - - append: - field: related.hash - allow_duplicates: false - value: "{{panw.panos.file.hash}}" - if: "ctx?.panw?.panos?.file?.hash != null" - - - append: - field: related.hosts - allow_duplicates: false - value: "{{observer.hostname}}" - if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" - allow_duplicates: false - - - append: - field: related.hosts - allow_duplicates: false - value: "{{url.domain}}" - if: "ctx?.url?.domain != null && ctx.url?.domain != ''" - allow_duplicates: false - -# Remove temporary fields. - - remove: - field: - - _temp_ - ignore_missing: true - -# Remove NAT fields when translation was not done. - - remove: - field: - - source.nat.ip - - source.nat.port - - client.nat.ip - - client.nat.port - if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0' - - remove: - field: - - destination.nat.ip - - destination.nat.port - - server.nat.ip - - server.nat.port - if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0' + - set: + field: rule.name + value: "{{panw.panos.ruleset}}" + ignore_empty_value: true + + # Set url and file values + - rename: + if: 'ctx?.panw?.panos?.sub_type != "url"' + field: url.original + target_field: file.name + ignore_missing: true + + - grok: + field: url.original + patterns: + - '(%{ANY:url.scheme}\:\/\/)?(%{USERNAME:url.username}(\:%{PASSWORD:url.password})?\@)?%{DOMAIN:url.domain}(\:%{POSINT:url.port})?(%{PATH:url.path})?(\?%{QUERY:url.query})?(\#%{ANY:url.fragment})?' + ignore_missing: true + pattern_definitions: + USERNAME: '[^\:]*' + PASSWORD: '[^@]*' + DOMAIN: '[^\/\?#\:]*' + PATH: '[^\?#]*' + QUERY: '[^#]*' + ANY: '.*' + if: 'ctx?.url?.original != null && ctx?.url?.original != "-/" && ctx?.url?.original != ""' + + - grok: + field: url.path + patterns: + - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:url.extension}))?' + ignore_missing: true + pattern_definitions: + FILENAME: '[^\.]+' + ANY: '.*' + if: 'ctx?.url?.path != null && ctx?.url?.path != ""' + + - grok: + field: file.name + patterns: + - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:file.extension}))?' + ignore_missing: true + pattern_definitions: + FILENAME: '[^\.]+' + ANY: '.*' + if: 'ctx?.file?.name != null && ctx?.file?.name != ""' + + - append: + field: related.user + allow_duplicates: false + value: "{{client.user.name}}" + if: "ctx?.client?.user?.name != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{source.user.name}}" + if: "ctx?.source?.user?.name != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{server.user.name}}" + if: "ctx?.server?.user?.name != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{destination.user.name}}" + if: "ctx?.destination?.user?.name != null" + + - append: + field: related.user + allow_duplicates: false + value: "{{url.username}}" + if: "ctx?.url?.username != null && ctx?.url?.username != ''" + allow_duplicates: false + + - append: + field: related.hash + allow_duplicates: false + value: "{{panw.panos.file.hash}}" + if: "ctx?.panw?.panos?.file?.hash != null" + + - append: + field: related.hosts + allow_duplicates: false + value: "{{observer.hostname}}" + if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" + allow_duplicates: false + + - append: + field: related.hosts + allow_duplicates: false + value: "{{url.domain}}" + if: "ctx?.url?.domain != null && ctx.url?.domain != ''" + allow_duplicates: false + + # Remove temporary fields. + - remove: + field: + - _temp_ + ignore_missing: true + + # Remove NAT fields when translation was not done. + - remove: + field: + - source.nat.ip + - source.nat.port + - client.nat.ip + - client.nat.port + if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0' + - remove: + field: + - destination.nat.ip + - destination.nat.port + - server.nat.ip + - server.nat.port + if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0' on_failure: - set: diff --git a/x-pack/filebeat/module/panw/panos/ingest/threat.yml b/x-pack/filebeat/module/panw/panos/ingest/threat.yml new file mode 100644 index 00000000000..31ff25bbaa0 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/ingest/threat.yml @@ -0,0 +1,49 @@ +--- +description: Pipeline for PanOS Threat Logs +processors: + # Set network.direction from threat direction (Threat logs). + - set: + field: network.direction + value: inbound + if: '(ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")' + - set: + field: network.direction + value: outbound + if: '(ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")' + - set: + field: network.direction + value: unknown + if: 'ctx?.network?.direction == null' + + # Set event.category depending on log type. + - set: + field: event.kind + value: alert + - append: + field: event.category + allow_duplicates: false + value: + - security_threat + - intrusion_detection + - network + + - grok: + if: 'ctx?.panw?.panos?.threat?.name != null' + field: panw.panos.threat.name + ignore_failure: true + patterns: + - '%{GREEDYDATA:panw.panos.threat.name}\(\s*%{GREEDYDATA:panw.panos.threat.id}\s*\)' + + - set: + field: panw.panos.threat.name + value: 'URL-filtering' + if: 'ctx?.panw?.panos?.threat?.id == "9999"' + +on_failure: + - append: + field: error.message + value: >- + error in Threat pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/x-pack/filebeat/module/panw/panos/ingest/traffic.yml b/x-pack/filebeat/module/panw/panos/ingest/traffic.yml new file mode 100644 index 00000000000..0bfda89f66a --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/ingest/traffic.yml @@ -0,0 +1,87 @@ +--- +description: Pipeline for PanOS Traffic Logs +processors: + # Set network.direction using src/dst zone (traffic logs). + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone) + ) + ) + + # Set network.type for TRAFFIC. + - set: + field: network.type + value: 'ipv4' + if: 'ctx?.labels?.ipv6_session == null' + - set: + field: network.type + value: 'ipv6' + if: 'ctx?.labels?.ipv6_session != null' + + # Set event.category depending on log type. + - set: + field: event.kind + value: event + - append: + field: event.category + allow_duplicates: false + value: + - network_traffic + - network +on_failure: + - append: + field: error.message + value: >- + error in Traffic pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml index 958a4ba7247..3bbf088dd91 100644 --- a/x-pack/filebeat/module/panw/panos/manifest.yml +++ b/x-pack/filebeat/module/panw/panos/manifest.yml @@ -21,7 +21,11 @@ var: default: - untrust -ingest_pipeline: ingest/pipeline.yml +ingest_pipeline: + - ingest/pipeline.yml + - ingest/traffic.yml + - ingest/threat.yml + - ingest/globalprotect.yml input: config/input.yml requires.processors: diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log b/x-pack/filebeat/module/panw/panos/test/global_protect.log new file mode 100644 index 00000000000..08ae3bde65d --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log @@ -0,0 +1,2 @@ +1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect Portal,69200719497738,0x0 +1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0 diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json new file mode 100644 index 00000000000..78d762a2a36 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json @@ -0,0 +1,113 @@ +[ + { + "@timestamp": "2021-03-24T11:30:00.000-02:00", + "client.address": "10.52.36.15", + "client.ip": "10.52.36.15", + "client.nat.ip": "11.134.5.168", + "event.code": "portal-prelogin", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "09300bcc-23-4900-8de9-32695452fa", + "host.ip": "10.52.36.15", + "input.type": "log", + "log.offset": 0, + "log.original": "1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect Portal,69200719497738,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect Portal", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_os": "Windows", + "panw.panos.client_os_ver": "Microsoft Windows 10 Pro , 64-bit", + "panw.panos.client_ver": "5.2.4", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": "1", + "panw.panos.sequence_number": 69200719497738, + "panw.panos.source.nat.ip": "11.134.5.168", + "panw.panos.stage": "before-login", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect Portal" + ], + "related.ip": [ + "10.52.36.15", + "11.134.5.168" + ], + "service.type": "panw", + "source.address": "10.52.36.15", + "source.geo.name": "BE", + "source.ip": "10.52.36.15", + "source.nat.ip": "11.134.5.168", + "tags": [ + "pan-os", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-24T11:29:49.000-02:00", + "client.address": "10.20.13.217", + "client.ip": "10.20.13.217", + "client.nat.ip": "83.14.113.11", + "event.code": "gateway-config-release", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "e0957c11-93-437a-9e23-9f0c24059898", + "host.ip": "10.20.13.217", + "host.name": "CP935", + "input.type": "log", + "log.offset": 304, + "log.original": "1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001308", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_os": "Windows", + "panw.panos.client_os_ver": "Microsoft Windows 10 Pro , 64-bit", + "panw.panos.client_ver": "5.2.4", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": "1", + "panw.panos.sequence_number": 6919501582016786, + "panw.panos.serial_number": "5J9VN53", + "panw.panos.source.nat.ip": "83.14.113.11", + "panw.panos.stage": "configuration", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "10.20.13.217", + "83.14.113.11" + ], + "related.user": [ + "user" + ], + "service.type": "panw", + "source.address": "10.20.13.217", + "source.geo.name": "BE", + "source.ip": "10.20.13.217", + "source.nat.ip": "83.14.113.11", + "source.user.domain": "domain", + "source.user.name": "user", + "tags": [ + "pan-os", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index 5388af2b903..c5f32daf182 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -1333,7 +1333,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1630,7 +1630,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3258,7 +3258,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3355,7 +3355,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3452,7 +3452,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3551,7 +3551,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3648,7 +3648,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3744,7 +3744,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3843,7 +3843,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3939,7 +3939,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4036,7 +4036,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4132,7 +4132,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4322,7 +4322,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4417,7 +4417,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4512,7 +4512,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4608,7 +4608,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4706,7 +4706,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4804,7 +4804,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4903,7 +4903,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5002,7 +5002,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5101,7 +5101,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5190,7 +5190,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5294,7 +5294,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5383,7 +5383,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5477,7 +5477,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5580,7 +5580,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5669,7 +5669,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5760,7 +5760,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5861,7 +5861,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5957,7 +5957,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6053,7 +6053,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6142,7 +6142,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -6246,7 +6246,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6892,7 +6892,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6982,7 +6982,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -7076,7 +7076,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7166,7 +7166,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7256,7 +7256,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7346,7 +7346,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7527,7 +7527,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7889,7 +7889,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7983,7 +7983,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -8073,7 +8073,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -8257,7 +8257,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -8531,7 +8531,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -8712,7 +8712,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -8802,7 +8802,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -8983,7 +8983,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -9073,7 +9073,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -9163,7 +9163,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -9253,7 +9253,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -9434,7 +9434,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index ef9975180c1..4ffdc338032 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -27,7 +27,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -132,7 +132,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -237,7 +237,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -342,7 +342,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -447,7 +447,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -552,7 +552,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -657,7 +657,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -762,7 +762,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -867,7 +867,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -972,7 +972,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1077,7 +1077,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1182,7 +1182,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1287,7 +1287,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1392,7 +1392,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1497,7 +1497,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1602,7 +1602,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1707,7 +1707,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1812,7 +1812,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1917,7 +1917,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2022,7 +2022,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2127,7 +2127,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2232,7 +2232,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2337,7 +2337,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2442,7 +2442,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2547,7 +2547,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2652,7 +2652,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2757,7 +2757,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2862,7 +2862,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2967,7 +2967,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3072,7 +3072,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3177,7 +3177,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3282,7 +3282,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3387,7 +3387,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3492,7 +3492,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3597,7 +3597,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3702,7 +3702,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3810,7 +3810,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3918,7 +3918,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4026,7 +4026,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4134,7 +4134,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4242,7 +4242,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4350,7 +4350,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4458,7 +4458,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4566,7 +4566,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4674,7 +4674,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4782,7 +4782,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4890,7 +4890,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -4998,7 +4998,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5106,7 +5106,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5214,7 +5214,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5319,7 +5319,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5424,7 +5424,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5529,7 +5529,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5634,7 +5634,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5739,7 +5739,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5844,7 +5844,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -5949,7 +5949,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6054,7 +6054,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6159,7 +6159,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6264,7 +6264,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6372,7 +6372,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6480,7 +6480,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6588,7 +6588,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6696,7 +6696,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6804,7 +6804,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -6912,7 +6912,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7020,7 +7020,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7128,7 +7128,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7236,7 +7236,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7344,7 +7344,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7452,7 +7452,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7560,7 +7560,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7668,7 +7668,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7776,7 +7776,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7884,7 +7884,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -7992,7 +7992,7 @@ "event.dataset": "panw.panos", "event.kind": "alert", "event.module": "panw", - "event.outcome": "success", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [