Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Palo Alto integration with User-ID #24722

Closed
rdrgporto opened this issue Mar 24, 2021 · 10 comments · Fixed by #24927
Closed

[Filebeat] Palo Alto integration with User-ID #24722

rdrgporto opened this issue Mar 24, 2021 · 10 comments · Fixed by #24927

Comments

@rdrgporto
Copy link

Hi, everyone

I have been working with Palo Alto and Filebeat over several days. I have looked on Elastic documentation that it currently supports messages of Traffic and Threat types.

Is it considered to parsing User-ID type ? I would like to get it because it provides information about login and logouts of usernames.

Thanks in advance,

Rodrigo

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 24, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 24, 2021
@jamiehynds
Copy link

Hey @rdrgporto! Increased our Palo Alto event coverage is certainly something we'd like to do, including the User-ID logs. We currently have very limited sample data in order to add support to our module. Would you be able to share some sample User-ID events so we can review the format? Sanitised events are fine.

@rdrgporto
Copy link
Author

rdrgporto commented Mar 24, 2021

Hi, @jamiehynds

Here you are:

Mar 24 11:00:49 <ip/hostname> 1,2021/03/24 11:00:49,<serial-number>,USERID,login,2305,2021/03/24 11:00:49,vsys1,<source-ip>,<user-domain>,,0,1,10800,0,0,<data-source-collected>,<data-source-type>,1252774,0x0,0,0,0,0,,<device-name>,1,,2021/03/24 11:00:49,1,0x80000000,<user-name>

Mar 24 10:59:45 <ip/hostname> 1,2021/03/24 10:59:45,<serial-number>,USERID,logout,2305,2021/03/24 10:59:45,vsys1,<source-ip>,<user-domain>,,0,1,0,0,0,<data-source-collected>,<data-source-type>,1252765,0x0,0,0,0,0,,<device-name>,1,,2021/03/24 10:59:45,1,0x80000000,<user-name>

I configured Palo Alto (Version 9.1) in order to send logs via Syslog. I have a virtual machine which writes its information into a file (I had to configure Rsyslog). Logstash reads it and parse it.

I used Palo Alto documentation in order to know fields name.

Thanks 😃 ,

Rodrigo

@willemdh
Copy link

Created #24724 and added some info to https://discuss.elastic.co/t/palo-alto-integration-with-userid-siem-feature/268173/5

@legoguy1000
Copy link
Contributor

I can try to update the PanOS fileset to parse these logs.

@legoguy1000
Copy link
Contributor

I've started a draft for this

@legoguy1000
Copy link
Contributor

@rdrgporto Do you have more User ID logs examples. I looked here,https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkACAS and the amount of fields don't seem to line up

@rdrgporto
Copy link
Author

Hi, @legoguy1000

Here you are more User ID examples and my test Logstash pipeline configuration example:

I have looked on Palo Alto documentation in order to figure out fields names: Palo Alto 9.1.3.

Thanks in advance 😃

@legoguy1000
Copy link
Contributor

updated the PR with these logs and took some of your changes from the logstash pipeline you provided.

@legoguy1000
Copy link
Contributor

Took PR out of draft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants