Skip to content

Commit b88d2a3

Browse files
authored
[PANW] add audit log parsing (#9663)
1 parent f796032 commit b88d2a3

File tree

9 files changed

+183
-5
lines changed

9 files changed

+183
-5
lines changed

packages/panw/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "3.25.0"
3+
changes:
4+
- description: Add audit log parsing
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/9663
27
- version: "3.24.4"
38
changes:
49
- description: Make / in url optional
Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Apr 11 20:06:15 192.168.0.1 01111111111,2024/04/11 20:06:15,audit,2561,gui-op,suser,"<debug><dataplane><packet-diag><show><setting/></show></packet-diag></dataplane></debug>",success
2+
Apr 18 18:35:20 10.1.1.1 003001000000,2024/04/18 18:35:20,audit,2561,gui-op,Mustang,"<show><config-locks><vsys>all</vsys></config-locks></show>",success
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
fields:
2+
tags:
3+
- preserve_original_event
4+
_conf:
5+
tz_offset: "-04:00"
Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
{
2+
"expected": [
3+
{
4+
"@timestamp": "2024-04-11T20:06:15.000-04:00",
5+
"ecs": {
6+
"version": "8.11.0"
7+
},
8+
"event": {
9+
"category": [
10+
"configuration"
11+
],
12+
"created": "2024-04-11T16:06:15.000-04:00",
13+
"kind": "event",
14+
"original": "Apr 11 20:06:15 192.168.0.1 01111111111,2024/04/11 20:06:15,audit,2561,gui-op,suser,\"<debug><dataplane><packet-diag><show><setting/></show></packet-diag></dataplane></debug>\",success",
15+
"outcome": "success",
16+
"timezone": "-04:00"
17+
},
18+
"message": "2561,gui-op,suser,\"<debug><dataplane><packet-diag><show><setting/></show></packet-diag></dataplane></debug>\",success",
19+
"network": {
20+
"type": "ipv4"
21+
},
22+
"observer": {
23+
"product": "PAN-OS",
24+
"serial_number": "01111111111",
25+
"type": "firewall",
26+
"vendor": "Palo Alto Networks"
27+
},
28+
"panw": {
29+
"panos": {
30+
"cmd": "<debug><dataplane><packet-diag><show><setting/></show></packet-diag></dataplane></debug>",
31+
"cmd_source": "gui-op",
32+
"config_version": "2561",
33+
"type": "AUDIT"
34+
}
35+
},
36+
"related": {
37+
"ip": [
38+
"192.168.0.1"
39+
]
40+
},
41+
"source": {
42+
"ip": "192.168.0.1"
43+
},
44+
"tags": [
45+
"preserve_original_event"
46+
],
47+
"user": {
48+
"name": "suser"
49+
}
50+
},
51+
{
52+
"@timestamp": "2024-04-18T18:35:20.000-04:00",
53+
"ecs": {
54+
"version": "8.11.0"
55+
},
56+
"event": {
57+
"category": [
58+
"configuration"
59+
],
60+
"created": "2024-04-18T14:35:20.000-04:00",
61+
"kind": "event",
62+
"original": "Apr 18 18:35:20 10.1.1.1 003001000000,2024/04/18 18:35:20,audit,2561,gui-op,Mustang,\"<show><config-locks><vsys>all</vsys></config-locks></show>\",success",
63+
"outcome": "success",
64+
"timezone": "-04:00"
65+
},
66+
"message": "2561,gui-op,Mustang,\"<show><config-locks><vsys>all</vsys></config-locks></show>\",success",
67+
"network": {
68+
"type": "ipv4"
69+
},
70+
"observer": {
71+
"product": "PAN-OS",
72+
"serial_number": "003001000000",
73+
"type": "firewall",
74+
"vendor": "Palo Alto Networks"
75+
},
76+
"panw": {
77+
"panos": {
78+
"cmd": "<show><config-locks><vsys>all</vsys></config-locks></show>",
79+
"cmd_source": "gui-op",
80+
"config_version": "2561",
81+
"type": "AUDIT"
82+
}
83+
},
84+
"related": {
85+
"ip": [
86+
"10.1.1.1"
87+
]
88+
},
89+
"source": {
90+
"ip": "10.1.1.1"
91+
},
92+
"tags": [
93+
"preserve_original_event"
94+
],
95+
"user": {
96+
"name": "Mustang"
97+
}
98+
}
99+
]
100+
}
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
description: Pipeline for PanOS Audit Logs.
3+
# API Docs: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/audit-log-fields
4+
processors:
5+
- csv:
6+
field: message
7+
ignore_failure: true
8+
target_fields:
9+
- panw.panos.config_version
10+
- panw.panos.cmd_source
11+
- user.name
12+
- panw.panos.cmd
13+
- event.outcome
14+
- uppercase:
15+
field: panw.panos.type
16+
ignore_missing: true
17+
# Set event.kind & event.category field.
18+
- set:
19+
field: event.kind
20+
value: event
21+
- append:
22+
field: event.category
23+
value:
24+
- configuration
25+
26+
# Set custom fields to ECS fields
27+
- date:
28+
if: ctx._temp_?.syslog_time != null
29+
field: _temp_.syslog_time
30+
target_field: event.created
31+
formats:
32+
- MMM d HH:mm:ss
33+
- MMM dd HH:mm:ss
34+
- set:
35+
field: observer.hostname
36+
copy_from: panw.panos.device_name
37+
ignore_failure: true
38+
- set:
39+
field: source.ip
40+
copy_from: panw.panos.source.ip
41+
ignore_failure: true
42+
43+
on_failure:
44+
- set:
45+
field: event.kind
46+
value: pipeline_error
47+
- append:
48+
field: error.message
49+
value: >-
50+
error in Audit pipeline:
51+
error in [{{{_ingest.on_failure_processor_type}}}] processor{{{#_ingest.on_failure_processor_tag}}}
52+
with tag [{{{_ingest.on_failure_processor_tag}}}]{{{/_ingest.on_failure_processor_tag}}}
53+
{{{_ingest.on_failure_message}}}

packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ processors:
3131
field: _temp_.message
3232
patterns:
3333
- "^%{DATA},%{TIMESTAMP:event.created},%{FIELD:observer.serial_number},%{FIELD:panw.panos.type},(?:%{FIELD:panw.panos.sub_type})?,%{FIELD:_temp_.config_version},%{TIMESTAMP:_temp_.generated_time},%{GREEDYDATA:message}$"
34+
- "^%{SYSLOGTIMESTAMP:_temp_.syslog_time} %{IP:source.ip} %{NOTSPACE:observer.serial_number},%{PANW_DATE:_temp_.generated_time},%{FIELD:panw.panos.type},%{GREEDYDATA:message}$"
3435
pattern_definitions:
3536
TIMESTAMP: "%{PANW_DATE}|%{TIMESTAMP_ISO8601}"
3637
PANW_DATE: "%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}"
@@ -92,6 +93,10 @@ processors:
9293
- pipeline:
9394
if: ctx.panw?.panos?.type == 'START' || ctx.panw.panos.type == 'END'
9495
name: '{{ IngestPipeline "tunnel_inspection" }}'
96+
## AUDIT
97+
- pipeline:
98+
if: ctx.panw?.panos?.type == 'AUDIT' || ctx.panw?.panos?.type == 'audit'
99+
name: '{{ IngestPipeline "audit" }}'
95100

96101
- set:
97102
field: panw.panos.observer.serial_number

packages/panw/data_stream/panos/fields/fields.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,10 @@
147147
description: Unique 32 character ID for a file scanned by the DLP cloud service sent by a firewall.
148148
- name: cmd
149149
type: keyword
150-
description: Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set.
150+
description: Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set, or any command generated by cli, gui, gui-opt, gnmi, or rest;
151+
- name: cmd_source
152+
type: keyword
153+
description: 'Source of the command that generated the audit log. Value are: cli, gui, gui-op, gnmi, rest.'
151154
- name: comment
152155
type: keyword
153156
description: The audit comment entered in a policy rule configuration change.
@@ -319,6 +322,9 @@
319322
- name: id
320323
type: keyword
321324
description: A string showing the name of the event.
325+
- name: outcome
326+
type: keyword
327+
description: A string showing the outcome of the event.
322328
- name: reason
323329
type: keyword
324330
description: A string that shows the reason for the quarantine.
@@ -942,7 +948,7 @@
942948
description: Type of tunnel, such as GRE or IPSec or SSLVPN.
943949
- name: type
944950
type: keyword
945-
description: Specifies the type of log; values are HIP-MATCH, CONFIG, GLOBALPROTECT, THREAT, TRAFFIC, USERID, AUTHENTICATION, CORRELATION, DECRYPTION, GTP, IPTAG, SCTP, SYSTEM.
951+
description: Specifies the type of log; values are HIP-MATCH, CONFIG, GLOBALPROTECT, THREAT, TRAFFIC, USERID, AUTHENTICATION, CORRELATION, DECRYPTION, GTP, IPTAG, SCTP, SYSTEM, AUDIT.
946952
- name: ugflags
947953
type: keyword
948954
description: 'Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group.Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.'

packages/panw/docs/README.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -402,7 +402,8 @@ An example event for `panos` looks as following:
402402
| panw.panos.client_type | Type of client to used by administrator or complete authentication. | keyword |
403403
| panw.panos.client_ver | The client's GlobalProtect app version. | keyword |
404404
| panw.panos.cloud_report.id | Unique 32 character ID for a file scanned by the DLP cloud service sent by a firewall. | keyword |
405-
| panw.panos.cmd | Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set. | keyword |
405+
| panw.panos.cmd | Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set, or any command generated by cli, gui, gui-opt, gnmi, or rest; | keyword |
406+
| panw.panos.cmd_source | Source of the command that generated the audit log. Value are: cli, gui, gui-op, gnmi, rest. | keyword |
406407
| panw.panos.comment | The audit comment entered in a policy rule configuration change. | keyword |
407408
| panw.panos.config_version | The software version. | keyword |
408409
| panw.panos.connect_method | A string showing the how the GlobalProtect app connects to Gateway, (for example, on-demand or user-logon. | keyword |
@@ -450,6 +451,7 @@ An example event for `panos` looks as following:
450451
| panw.panos.error_code | An integer associated with any errors that occurred. | integer |
451452
| panw.panos.error_message | A string showing that error that has occurred in any event. | keyword |
452453
| panw.panos.event.id | A string showing the name of the event. | keyword |
454+
| panw.panos.event.outcome | A string showing the outcome of the event. | keyword |
453455
| panw.panos.event.reason | A string that shows the reason for the quarantine. | keyword |
454456
| panw.panos.event.result | Result of the authentication attempt. | keyword |
455457
| panw.panos.event.status | The status (success or failure) of the event. | keyword |
@@ -625,7 +627,7 @@ An example event for `panos` looks as following:
625627
| panw.panos.tunnel_fragment | Number of packets the firewall dropped because of fragmentation errors. | long |
626628
| panw.panos.tunnel_inspection_rule | Name of the tunnel inspection rule matching the cleartext tunnel traffic. | keyword |
627629
| panw.panos.tunnel_type | Type of tunnel, such as GRE or IPSec or SSLVPN. | keyword |
628-
| panw.panos.type | Specifies the type of log; values are HIP-MATCH, CONFIG, GLOBALPROTECT, THREAT, TRAFFIC, USERID, AUTHENTICATION, CORRELATION, DECRYPTION, GTP, IPTAG, SCTP, SYSTEM. | keyword |
630+
| panw.panos.type | Specifies the type of log; values are HIP-MATCH, CONFIG, GLOBALPROTECT, THREAT, TRAFFIC, USERID, AUTHENTICATION, CORRELATION, DECRYPTION, GTP, IPTAG, SCTP, SYSTEM, AUDIT. | keyword |
629631
| panw.panos.ugflags | Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group.Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found. | keyword |
630632
| panw.panos.unknown_protocol | Number of packets the firewall dropped because the packet contains an unknown protocol, as enabled in the Tunnel Inspection policy rule (Drop packet if unknown protocol inside tunnel). | long |
631633
| panw.panos.url.category | For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malware’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’. | keyword |

packages/panw/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: panw
22
title: Palo Alto Next-Gen Firewall
3-
version: "3.24.4"
3+
version: "3.25.0"
44
description: Collect logs from Palo Alto next-gen firewalls with Elastic Agent.
55
type: integration
66
format_version: "3.0.3"

0 commit comments

Comments
 (0)