From 7b7bbe97c364f08f37a570f9526703e4fa5f5053 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Wed, 9 Dec 2020 11:09:03 -0600 Subject: [PATCH] [Filebeat] panos config option to set internal/external zones (#22998) * panos config option to set internal/external zones - default internal zone is "trust" - default external zone is "untrust" - allows for user to define zones for determining network.direction Relates #21674 --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/filebeat.reference.yml | 9 ++++ x-pack/filebeat/module/panw/_meta/config.yml | 9 ++++ .../module/panw/panos/config/input.yml | 14 ++++++ .../module/panw/panos/ingest/pipeline.yml | 50 ++++++++++++++++--- .../filebeat/module/panw/panos/manifest.yml | 6 +++ x-pack/filebeat/modules.d/panw.yml.disabled | 9 ++++ 7 files changed, 92 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index bb0e94f710d..f7732420c9f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -743,6 +743,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320] - Add logic for external network.direction in sophos xg fileset {pull}22973[22973] - Add `http.request.mime_type` for Elasticsearch audit log fileset. {pull}22975[22975] +- Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998] *Heartbeat* diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index aa85742e7c9..bf894ba38c8 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1520,6 +1520,15 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + # Set internal security zones. used to determine network.direction + # default "trust" + #var.internal_zones: + + # Set external security zones. used to determine network.direction + # default "untrust" + #var.external_zones: + + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs diff --git a/x-pack/filebeat/module/panw/_meta/config.yml b/x-pack/filebeat/module/panw/_meta/config.yml index 41c54c3700c..737825f598c 100644 --- a/x-pack/filebeat/module/panw/_meta/config.yml +++ b/x-pack/filebeat/module/panw/_meta/config.yml @@ -8,3 +8,12 @@ # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + # Set internal security zones. used to determine network.direction + # default "trust" + #var.internal_zones: + + # Set external security zones. used to determine network.direction + # default "untrust" + #var.external_zones: + diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 8ab5dfbf216..3d3f0be207f 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -173,6 +173,20 @@ processors: fields: - csv +{{ if .external_zones }} + - add_fields: + target: _temp_ + fields: + external_zones: {{ .external_zones | tojson }} +{{ end }} + +{{ if .internal_zones }} + - add_fields: + target: _temp_ + fields: + internal_zones: {{ .internal_zones | tojson }} +{{ end }} + - community_id: ~ - community_id: diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 8b2bd7e8324..3bf76a0c5c1 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -134,24 +134,62 @@ processors: - set: field: network.direction value: inbound - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - set: field: network.direction value: outbound - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: internal - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: external - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"' + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.external_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: unknown - if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))' - + if: > + ctx?.panw?.panos?.type == "TRAFFIC" && + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone) + ) + ) # Set network.direction from threat direction (Threat logs). - set: field: network.direction diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml index 36f901c2845..958a4ba7247 100644 --- a/x-pack/filebeat/module/panw/panos/manifest.yml +++ b/x-pack/filebeat/module/panw/panos/manifest.yml @@ -14,6 +14,12 @@ var: default: syslog - name: community_id default: true + - name: internal_zones + default: + - trust + - name: external_zones + default: + - untrust ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/modules.d/panw.yml.disabled b/x-pack/filebeat/modules.d/panw.yml.disabled index a16d9580ac1..0bd5bf33419 100644 --- a/x-pack/filebeat/modules.d/panw.yml.disabled +++ b/x-pack/filebeat/modules.d/panw.yml.disabled @@ -11,3 +11,12 @@ # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + # Set internal security zones. used to determine network.direction + # default "trust" + #var.internal_zones: + + # Set external security zones. used to determine network.direction + # default "untrust" + #var.external_zones: +