diff --git a/packages/panw/_dev/build/docs/README.md b/packages/panw/_dev/build/docs/README.md index 89d1af3736d..36b09e5b542 100644 --- a/packages/panw/_dev/build/docs/README.md +++ b/packages/panw/_dev/build/docs/README.md @@ -12,4 +12,6 @@ The ingest-geoip Elasticsearch plugin is required to run this module. ### PAN-OS +{{event "panos"}} + {{fields "panos"}} diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml index 23ffbf5b75b..2a58c14b509 100644 --- a/packages/panw/changelog.yml +++ b/packages/panw/changelog.yml @@ -1,4 +1,15 @@ # newer versions go on top +- version: "2.2.1" + changes: + - description: Fix search terms in saved searches + type: bugfix + link: https://github.com/elastic/integrations/pull/3324 + - description: Remove invalid value in sample event and publish in documentation + type: bugfix + link: https://github.com/elastic/integrations/pull/3324 + - description: Add threat term to threat data set event.category + type: enhancement + link: https://github.com/elastic/integrations/pull/3324 - version: "2.2.0" changes: - description: Replace syslog input with UDP/TCP input and syslog processor. diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json index 4f8ef89cad0..0cdb08aac2c 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json @@ -27,6 +27,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:12.000+10:00", @@ -163,6 +164,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:12.000+10:00", @@ -299,6 +301,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:12.000+10:00", @@ -435,6 +438,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:12.000+10:00", @@ -571,6 +575,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:12.000+10:00", @@ -707,6 +712,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:12.000+10:00", @@ -843,6 +849,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:17.000+10:00", @@ -979,6 +986,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:17.000+10:00", @@ -1115,6 +1123,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:17.000+10:00", @@ -1251,6 +1260,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:17.000+10:00", @@ -1387,6 +1397,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:22.000+10:00", @@ -1523,6 +1534,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:22.000+10:00", @@ -1659,6 +1671,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:22.000+10:00", @@ -1795,6 +1808,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:22.000+10:00", @@ -1929,6 +1943,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:27.000+10:00", @@ -2065,6 +2080,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:27.000+10:00", @@ -2201,6 +2217,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:27.000+10:00", @@ -2335,6 +2352,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:32.000+10:00", @@ -2471,6 +2489,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:32.000+10:00", @@ -2607,6 +2626,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:32.000+10:00", @@ -2743,6 +2763,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:32.000+10:00", @@ -2879,6 +2900,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:32.000+10:00", @@ -3015,6 +3037,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:37.000+10:00", @@ -3151,6 +3174,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:37.000+10:00", @@ -3287,6 +3311,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:37.000+10:00", @@ -3423,6 +3448,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:37.000+10:00", @@ -3559,6 +3585,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:37.000+10:00", @@ -3695,6 +3722,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:42.000+10:00", @@ -3831,6 +3859,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:42.000+10:00", @@ -3967,6 +3996,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:42.000+10:00", @@ -4103,6 +4133,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:42.000+10:00", @@ -4239,6 +4270,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:42.000+10:00", @@ -4375,6 +4407,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:42.000+10:00", @@ -4511,6 +4544,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:46:47.000+10:00", @@ -4645,6 +4679,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:47:02.000+10:00", @@ -4779,6 +4814,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:47:02.000+10:00", @@ -4913,6 +4949,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:47:12.000+10:00", @@ -5047,6 +5084,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:47:17.000+10:00", @@ -5181,6 +5219,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:47:17.000+10:00", @@ -5315,6 +5354,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:51:03.000+10:00", @@ -5449,6 +5489,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:51:23.000+10:00", @@ -5583,6 +5624,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:51:33.000+10:00", @@ -5717,6 +5759,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:51:33.000+10:00", @@ -5844,6 +5887,7 @@ "action": "spyware_detected", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:53:33.000+10:00", @@ -5982,6 +6026,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:53:38.000+10:00", @@ -6116,6 +6161,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:53:48.000+10:00", @@ -6250,6 +6296,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:53:58.000+10:00", @@ -6384,6 +6431,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:55:23.000+10:00", @@ -6518,6 +6566,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:56:23.000+10:00", @@ -6652,6 +6701,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:57:33.000+10:00", @@ -6786,6 +6836,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2012-10-30T09:57:38.000+10:00", @@ -6920,6 +6971,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:58:52.000+10:00", @@ -7054,6 +7106,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:58:52.000+10:00", @@ -7181,6 +7234,7 @@ "action": "file_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:58:57.000+10:00", @@ -7322,6 +7376,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:58:57.000+10:00", @@ -7449,6 +7504,7 @@ "action": "file_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:07.000+10:00", @@ -7583,6 +7639,7 @@ "action": "file_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:07.000+10:00", @@ -7724,6 +7781,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:07.000+10:00", @@ -7851,6 +7909,7 @@ "action": "file_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:12.000+10:00", @@ -7985,6 +8044,7 @@ "action": "file_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:12.000+10:00", @@ -8126,6 +8186,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:12.000+10:00", @@ -8260,6 +8321,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:12.000+10:00", @@ -8394,6 +8456,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:12.000+10:00", @@ -8521,6 +8584,7 @@ "action": "file_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:17.000+10:00", @@ -8662,6 +8726,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:22.000+10:00", @@ -8796,6 +8861,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:32.000+10:00", @@ -8923,6 +8989,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:32.000+10:00", @@ -9057,6 +9124,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:32.000+10:00", @@ -9198,6 +9266,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:32.000+10:00", @@ -9325,6 +9394,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:32.000+10:00", @@ -9466,6 +9536,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:32.000+10:00", @@ -9593,6 +9664,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:32.000+10:00", @@ -9727,6 +9799,7 @@ "action": "file_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:32.000+10:00", @@ -9861,6 +9934,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -9995,6 +10069,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -10129,6 +10204,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -10263,6 +10339,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -10404,6 +10481,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -10531,6 +10609,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -10665,6 +10744,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -10799,6 +10879,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -10933,6 +11014,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -11067,6 +11149,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:37.000+10:00", @@ -11201,6 +11284,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -11335,6 +11419,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -11469,6 +11554,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -11603,6 +11689,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -11737,6 +11824,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -11871,6 +11959,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -12005,6 +12094,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -12146,6 +12236,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -12273,6 +12364,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -12407,6 +12499,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:42.000+10:00", @@ -12548,6 +12641,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:47.000+10:00", @@ -12675,6 +12769,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:47.000+10:00", @@ -12809,6 +12904,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:47.000+10:00", @@ -12943,6 +13039,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:47.000+10:00", @@ -13077,6 +13174,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:47.000+10:00", @@ -13211,6 +13309,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:47.000+10:00", @@ -13345,6 +13444,7 @@ "action": "data_match", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2013-03-25T23:59:47.000+10:00", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json index 5f22f139e71..e32ec22ab47 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json @@ -30,6 +30,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -197,6 +198,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -364,6 +366,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -531,6 +534,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -698,6 +702,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -865,6 +870,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -1032,6 +1038,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -1199,6 +1206,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -1366,6 +1374,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -1533,6 +1542,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -1700,6 +1710,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -1867,6 +1878,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -2034,6 +2046,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -2201,6 +2214,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -2368,6 +2382,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:36.000+09:30", @@ -2535,6 +2550,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:37.000+09:30", @@ -2702,6 +2718,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:37.000+09:30", @@ -2869,6 +2886,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:37.000+09:30", @@ -3036,6 +3054,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:37.000+09:30", @@ -3203,6 +3222,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:38.000+09:30", @@ -3370,6 +3390,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:38.000+09:30", @@ -3537,6 +3558,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:38.000+09:30", @@ -3704,6 +3726,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -3871,6 +3894,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -4038,6 +4062,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -4205,6 +4230,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -4372,6 +4398,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -4539,6 +4566,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -4706,6 +4734,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -4873,6 +4902,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -5040,6 +5070,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -5207,6 +5238,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -5374,6 +5406,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -5541,6 +5574,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -5708,6 +5742,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:46.000+09:30", @@ -5875,6 +5910,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:53.000+09:30", @@ -6042,6 +6078,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:54.000+09:30", @@ -6209,6 +6246,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:58.000+09:30", @@ -6376,6 +6414,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:58.000+09:30", @@ -6543,6 +6582,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:58.000+09:30", @@ -6710,6 +6750,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:58.000+09:30", @@ -6877,6 +6918,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:59.000+09:30", @@ -7044,6 +7086,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:59.000+09:30", @@ -7211,6 +7254,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:44:59.000+09:30", @@ -7378,6 +7422,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:00.000+09:30", @@ -7545,6 +7590,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:00.000+09:30", @@ -7712,6 +7758,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:00.000+09:30", @@ -7879,6 +7926,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:00.000+09:30", @@ -8046,6 +8094,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:00.000+09:30", @@ -8213,6 +8262,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:13.000+09:30", @@ -8380,6 +8430,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:15.000+09:30", @@ -8547,6 +8598,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:15.000+09:30", @@ -8714,6 +8766,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:15.000+09:30", @@ -8881,6 +8934,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:15.000+09:30", @@ -9048,6 +9102,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:16.000+09:30", @@ -9215,6 +9270,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:16.000+09:30", @@ -9382,6 +9438,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:16.000+09:30", @@ -9549,6 +9606,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:16.000+09:30", @@ -9716,6 +9774,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:16.000+09:30", @@ -9883,6 +9942,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:16.000+09:30", @@ -10050,6 +10110,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:26.000+09:30", @@ -10217,6 +10278,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:26.000+09:30", @@ -10384,6 +10446,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:26.000+09:30", @@ -10551,6 +10614,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:26.000+09:30", @@ -10718,6 +10782,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:26.000+09:30", @@ -10885,6 +10950,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:27.000+09:30", @@ -11052,6 +11118,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:27.000+09:30", @@ -11219,6 +11286,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:27.000+09:30", @@ -11386,6 +11454,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:27.000+09:30", @@ -11553,6 +11622,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:27.000+09:30", @@ -11720,6 +11790,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:27.000+09:30", @@ -11887,6 +11958,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:27.000+09:30", @@ -12054,6 +12126,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:28.000+09:30", @@ -12221,6 +12294,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:28.000+09:30", @@ -12388,6 +12462,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:28.000+09:30", @@ -12555,6 +12630,7 @@ "action": "url_filtering", "category": [ "intrusion_detection", + "threat", "network" ], "created": "2018-11-30T16:45:29.000+09:30", diff --git a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml index 791b4229302..bbd6feb43db 100644 --- a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml +++ b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml @@ -95,6 +95,7 @@ processors: field: event.category value: - intrusion_detection + - threat - network on_failure: diff --git a/packages/panw/data_stream/panos/sample_event.json b/packages/panw/data_stream/panos/sample_event.json index 9a3ce0d23df..138a503b608 100644 --- a/packages/panw/data_stream/panos/sample_event.json +++ b/packages/panw/data_stream/panos/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2018-11-30T16:09:07.000Z", "agent": { - "ephemeral_id": "e4811856-bfcd-4b56-a3b8-e72433fa3caf", - "id": "654bb145-fd80-41c9-8a5d-307abd101e5a", + "ephemeral_id": "ff87971e-45e3-4ef8-8517-bd986fd8e553", + "id": "69c5b3bb-a0c8-407c-9f6f-166c94a2d63f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.2.0" }, "data_stream": { "dataset": "panw.panos", @@ -39,22 +39,21 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "654bb145-fd80-41c9-8a5d-307abd101e5a", + "id": "69c5b3bb-a0c8-407c-9f6f-166c94a2d63f", "snapshot": false, - "version": "8.0.0" + "version": "8.2.0" }, "event": { "action": "flow_terminated", "agent_id_status": "verified", "category": [ - "network_traffic", "network" ], "created": "2018-11-30T16:09:07.000Z", "dataset": "panw.panos", "duration": 586000000000, "end": "2018-11-30T16:08:50.000Z", - "ingested": "2022-03-01T06:53:34Z", + "ingested": "2022-05-15T06:01:30Z", "kind": "event", "outcome": "success", "start": "2018-11-30T15:59:04.000Z", @@ -74,7 +73,7 @@ }, "log": { "source": { - "address": "172.29.0.4:50949" + "address": "192.168.208.4:47747" } }, "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", diff --git a/packages/panw/docs/README.md b/packages/panw/docs/README.md index c6c5724bd4f..e74f5919063 100644 --- a/packages/panw/docs/README.md +++ b/packages/panw/docs/README.md @@ -12,6 +12,203 @@ The ingest-geoip Elasticsearch plugin is required to run this module. ### PAN-OS +An example event for `panos` looks as following: + +```json +{ + "@timestamp": "2018-11-30T16:09:07.000Z", + "agent": { + "ephemeral_id": "ff87971e-45e3-4ef8-8517-bd986fd8e553", + "id": "69c5b3bb-a0c8-407c-9f6f-166c94a2d63f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "panw.panos", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 5976, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "packets": 20, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "69c5b3bb-a0c8-407c-9f6f-166c94a2d63f", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "flow_terminated", + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2018-11-30T16:09:07.000Z", + "dataset": "panw.panos", + "duration": 586000000000, + "end": "2018-11-30T16:08:50.000Z", + "ingested": "2022-05-15T06:01:30Z", + "kind": "event", + "outcome": "success", + "start": "2018-11-30T15:59:04.000Z", + "timezone": "+00:00", + "type": [ + "allowed", + "end", + "connection" + ] + }, + "hostname": "PA-220", + "input": { + "type": "syslog" + }, + "labels": { + "nat_translated": true + }, + "log": { + "source": { + "address": "192.168.208.4:47747" + } + }, + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network": { + "application": "apple-maps", + "bytes": 7734, + "community_id": [ + "1:La5Jgm/PJBlaHF8BtgJSyZEmW9E=", + "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM=" + ], + "packets": 36, + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "allow", + "action_flags": "0x0", + "action_source": "from-policy", + "destination": { + "nat": { + "ip": "175.16.199.1", + "port": 443 + } + }, + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "endreason": "tcp-fin", + "flow_id": "22751", + "imsi": "0", + "log_profile": "send_to_mac", + "network": { + "nat": { + "community_id": "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM=" + } + }, + "parent_session": { + "id": "0" + }, + "related_vsys": "vsys1", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "scp": { + "assoc_id": "0", + "chunks": 0, + "chunks_received": 0, + "chunks_sent": 0 + }, + "sequence_number": 32091112, + "source": { + "nat": { + "ip": "192.168.1.63", + "port": 16418 + } + }, + "sub_type": "end", + "tunnel_type": "N/A", + "type": "TRAFFIC", + "url": { + "category": "computer-and-internet-info" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.207", + "175.16.199.1", + "192.168.1.63" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "bytes": 1758, + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.207", + "nat": { + "ip": "192.168.1.63", + "port": 16418 + }, + "packets": 16, + "port": 55113 + }, + "syslog": {}, + "tags": [ + "panw-panos", + "forwarded" + ] +} +``` + **Exported fields** | Field | Description | Type | diff --git a/packages/panw/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json b/packages/panw/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json index 21c926b5f05..45f86b578e0 100644 --- a/packages/panw/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json +++ b/packages/panw/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json @@ -12,7 +12,7 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "data_stream.dataset: \"panw.panos\" and event.category: \"network_traffic\"" + "query": "data_stream.dataset: \"panw.panos\" and panw.panos.type: \"TRAFFIC\"" }, "version": true } diff --git a/packages/panw/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json b/packages/panw/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json index af8ae4665d5..3a82d364fd1 100644 --- a/packages/panw/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json +++ b/packages/panw/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json @@ -12,7 +12,7 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "data_stream.dataset: \"panw.panos\" and event.category: \"security_threat\"" + "query": "data_stream.dataset: \"panw.panos\" and event.category: \"threat\"" }, "version": true } diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml index 9725822cd90..42a3bb81122 100644 --- a/packages/panw/manifest.yml +++ b/packages/panw/manifest.yml @@ -1,6 +1,6 @@ name: panw title: Palo Alto Networks Logs -version: 2.2.0 +version: 2.2.1 release: ga description: Collect PAN-OS firewall monitoring logs from Palo Alto Networks devices with Elastic Agent. type: integration