elastic#24350: Add HIP Match logs

legoguy1000 · May 25, 2021 · fc1f5e2 · fc1f5e2
1 parent 4b14493
commit fc1f5e2
Show file tree

Hide file tree

Showing 11 changed files with 439 additions and 3 deletions.
diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go
diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -291,3 +291,43 @@
       type: keyword
       description: >
         The type of tunnel (either SSLVPN or IPSec).
+
+    - name: connect_method
+      type: keyword
+      description: >
+        A string showing the how the GlobalProtect app connects to Gateway
+
+    - name: matchname
+      type: keyword
+      description: >
+        Name of the HIP object or profile.
+
+    - name: matchtype
+      type: keyword
+      description: >
+        Whether the hip field represents a HIP object or a HIP profile.
+
+    - name: priority
+      type: keyword
+      description: >
+        The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
+
+    - name: response_time
+      type: keyword
+      description: >
+        The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.
+
+    - name: attempted_gateways
+      type: keyword
+      description: >
+        The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority
+
+    - name: gateway
+      type: keyword
+      description: >
+        The name of the gateway that is specified on the portal configuration.
+
+    - name: selection_type
+      type: keyword
+      description: >
+        The connection method that is selected to connect to the gateway.
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -37,12 +37,12 @@ processors:
       overwrite_keys: true
       omit_empty: true
       mappings:
+        _temp_.ietf_header: 0
         event.created: 1
         observer.serial_number: 2
         panw.panos.type: 3
         panw.panos.sub_type: 4
         _temp_.generated_time: 6
-        _temp_.ietf_header: 0
 
   - extract_array:
       when:
@@ -215,6 +215,11 @@ processors:
         observer.hostname: 33
         panw.panos.sequence_number: 34
         panw.panos.actionflags: 35
+        panw.panos.selection_type: 37
+        panw.panos.response_time: 38
+        panw.panos.priority: 39
+        panw.panos.attempted_gateways: 40
+        panw.panos.gateway: 41
 
   - extract_array:
       when:
@@ -257,6 +262,43 @@ processors:
         source.user.name: 31
         client.user.name: 31
 
+  - extract_array:
+      when:
+        or:
+          - equals:
+              panw.panos.type: HIPMATCH
+          - equals:
+              panw.panos.type: HIP-MATCH
+      field: csv
+      omit_empty: true
+      overwrite_keys: true
+      fail_on_error: false
+      mappings:
+        _temp_.srcuser: 7
+        panw.panos.virtual_sys: 8
+        host.name: 9
+        host.os.full: 10
+        client.ip: 11
+        source.ip: 11
+        source.address: 11
+        panw.panos.matchname: 12
+        panw.panos.repeatcnt: 13
+        panw.panos.matchtype: 14
+        panw.panos.sequence_number: 17
+        panw.panos.actionflags: 18
+        panw.panos.device_group_hierarchy.level_1: 19
+        panw.panos.device_group_hierarchy.level_2: 20
+        panw.panos.device_group_hierarchy.level_3: 21
+        panw.panos.device_group_hierarchy.level_4: 22
+        panw.panos.vsys_name: 23
+        observer.hostname: 24
+        panw.panos.vsys_id: 25
+        _temp_.source_ipv6: 26
+        host.id: 27
+        panw.panos.serial_number: 28
+        host.mac: 29
+
+
   - drop_fields:
       fields:
         - csv

diff --git a/x-pack/filebeat/module/panw/panos/ingest/hipmatch.yml b/x-pack/filebeat/module/panw/panos/ingest/hipmatch.yml
@@ -0,0 +1,33 @@
+---
+description: Pipeline for PanOS HIP Match Logs
+processors:
+  - grok:
+      field: _temp_.srcuser
+      ignore_missing: true
+      ignore_failure: true
+      patterns:
+        - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
+        - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
+        - '%{USERNAME:source.user.name}'
+      if: ctx?._temp_?.srcuser != null
+  - set:
+      field: source.ip
+      value: "{{_temp_.source_ipv6}}"
+      if: ctx?._temp_?.source_ipv6 != null && ctx?._temp_?.source_ipv6 != "" && ctx?._temp_?.source_ipv6 != "0.0.0.0"
+  - set:
+      field: network.type
+      value: 'ipv4'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")'
+  - set:
+      field: network.type
+      value: 'ipv6'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")'
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in HIP Match pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -173,6 +173,11 @@ processors:
       if: ctx?.panw?.panos?.type == "USERID"
       name: '{< IngestPipeline "userid" >}'
 
+## HIPMATCH
+  - pipeline:
+      if: ctx?.panw?.panos?.type != null && ["HIP-MATCH", "HIPMATCH"].contains(ctx?.panw?.panos?.type)
+      name: '{< IngestPipeline "hipmatch" >}'
+
   - append:
       field: event.type
       allow_duplicates: false

diff --git a/x-pack/filebeat/module/panw/panos/ingest/userid.yml b/x-pack/filebeat/module/panw/panos/ingest/userid.yml
@@ -1,5 +1,5 @@
 ---
-description: Pipeline for PanOS Global ProtectUser ID Logs
+description: Pipeline for PanOS User ID Logs
 processors:
   - grok:
       field: _temp_.srcuser

diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml
@@ -27,6 +27,7 @@ ingest_pipeline:
   - ingest/threat.yml
   - ingest/globalprotect.yml
   - ingest/userid.yml
+  - ingest/hipmatch.yml
 input: config/input.yml
 
 requires.processors:

diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log b/x-pack/filebeat/module/panw/panos/test/global_protect.log
@@ -3,3 +3,8 @@
 1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\user1,,HOST82878,7.2.2.193,0.0.0.0,12.30.0.210,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,"",1,,,"HIP report is not needed",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0
 1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"Config name: , Client region: BE.",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0
 1,2021/04/07 17:41:28,0131001309,GLOBALPROTECT,0,2305,2021/04/07 17:41:28,vsys1,gateway-tunnel-latency,tunnel,,,,userlterso,HOSTP92413,7.2.17.120,0.0.0.0,0.0.0.0,0.0.0.0,2ba9f01-b83b-4902-a1fb-1748c0365,GJG98Y2,5.2.4,,"",1,,,"Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms",success,,0,,0,GlobalProtect_GW,6920071768563516847,0x0
+
+1,2021/03/02 09:55:42,12345678999,GLOBALPROTECT,0,2305,2021/03/02 09:55:39,vsys1,gateway-auth,login,Other,,maxmustermann,10.0.0.0-10.255.255.255,PC1234,10.20.30.40,0.0.0.0,0.0.0.0,0.0.0.0,985e865f-7da3-43b4-89a9-299b1bb0c975,SERIALNR,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,,success,,0,pre-logon,0,GP GW intern,6894571632887748064,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,
+1,2021/03/02 11:01:03,123456789999,GLOBALPROTECT,0,2305,2021/03/02 11:01:02,vsys1,gateway-setup-ipsec,tunnel,,IPSec,domain\musterman,DE,Rechner123,123.123.123.123,0.0.0.0,10.20.30.40,0.0.0.0,96c43d47-8bb5-4f78-8dfc-413a189a29e0,SERIALNR,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,,success,,0,,0,GPGateway,6894571632887761989,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,
+1,2021/03/02 09:39:33,12345678999,GLOBALPROTECT,0,2305,2021/03/02 09:39:26,vsys1,portal-prelogin,before-login,,,Max.Mustermann@domain.de,10.0.0.0-10.255.255.255,,10.20.30.40,0.0.0.0,0.0.0.0,0.0.0.0,0183d851-7ea2-4a0d-80de-fde1e04ce12f,,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,,success,,0,,0,GP Portal,6894571632887745099,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,
+1,2021/03/02 09:47:18,12345678999,GLOBALPROTECT,0,2305,2021/03/02 09:47:13,vsys1,portal-getconfig,configuration,,,domain\maxmustermann,10.0.0.0-10.255.255.255,PC12345,10.20.30.40,0.0.0.0,0.0.0.0,0.0.0.0,8cbc136b-e262-4cf8-912c-95ea132d9fef,SERIENNR,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,"Config name: GP Clients, Machine Certificate CN : (null)",success,,0,pre-logon,0,GP Portal,6894571632887746544,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,