[filebeat][panw] Improve panos fileset url parsing (#22481)

* Improve panos url parsing * Do not parse url details when not needed * Parse url based on threat subtype
elastic · Nov 19, 2020 · bb973c4 · bb973c4
1 parent 896b825
commit bb973c4
Show file tree

Hide file tree

Showing 4 changed files with 874 additions and 283 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -722,6 +722,7 @@ from being added to events by default. {pull}18159[18159]
 - Added DNS response IP addresses to `related.ip` in Suricata module. {pull}22291[22291]
 - Added TLS JA3 fingerprint, certificate not_before/not_after, certificate SHA1 hash, and certificate subject fields to Zeek SSL dataset. {pull}21696[21696]
 - Added `event.ingested` field to data from the Netflow module. {pull}22412[22412]
+- Improve panw ECS url fields mapping. {pull}22481[22481]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -447,6 +447,47 @@ processors:
      value: "{{panw.panos.ruleset}}"
      ignore_empty_value: true
 
+# Set url and file values
+ - rename:
+     if: 'ctx?.panw?.panos?.sub_type != "url"'
+     field: url.original
+     target_field: file.name
+     ignore_missing: true
+
+ - grok:
+     field: url.original
+     patterns:
+       - '(%{ANY:url.scheme}\:\/\/)?(%{USERNAME:url.username}(\:%{PASSWORD:url.password})?\@)?%{DOMAIN:url.domain}(\:%{POSINT:url.port})?(%{PATH:url.path})?(\?%{QUERY:url.query})?(\#%{ANY:url.fragment})?'
+     ignore_missing: true
+     pattern_definitions:
+       USERNAME: '[^\:]*'
+       PASSWORD: '[^@]*'
+       DOMAIN: '[^\/\?#\:]*'
+       PATH: '[^\?#]*'
+       QUERY: '[^#]*'
+       ANY: '.*'
+     if: 'ctx?.url?.original != null && ctx?.url?.original != "-/" && ctx?.url?.original != ""'
+
+ - grok:
+     field: url.path
+     patterns:
+       - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:url.extension}))?'
+     ignore_missing: true
+     pattern_definitions:
+       FILENAME: '[^\.]+'
+       ANY: '.*'
+     if: 'ctx?.url?.path != null && ctx?.url?.path != ""'
+
+ - grok:
+     field: file.name
+     patterns:
+       - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:file.extension}))?'
+     ignore_missing: true
+     pattern_definitions:
+       FILENAME: '[^\.]+'
+       ANY: '.*'
+     if: 'ctx?.file?.name != null && ctx?.file?.name != ""'
+
  - append:
      field: related.user
      value: "{{client.user.name}}"
@@ -467,6 +508,12 @@ processors:
      value: "{{destination.user.name}}"
      if: "ctx?.destination?.user?.name != null"
 
+ - append:
+     field: related.user
+     value: "{{url.username}}"
+     if: "ctx?.url?.username != null && ctx?.url?.username != ''"
+     allow_duplicates: false
+
  - append:
      field: related.hash
      value: "{{panw.panos.file.hash}}"
@@ -478,6 +525,12 @@ processors:
      if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''"
      allow_duplicates: false
 
+ - append:
+     field: related.hosts
+     value: "{{url.domain}}"
+     if: "ctx?.url?.domain != null && ctx.url?.domain != ''"
+     allow_duplicates: false
+
 # Remove temporary fields.
  - remove:
      field: