Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[filebeat] panw.panos indexing denied twice in event.type #22413

Closed
willemdh opened this issue Nov 4, 2020 · 2 comments · Fixed by #24799
Closed

[filebeat] panw.panos indexing denied twice in event.type #22413

willemdh opened this issue Nov 4, 2020 · 2 comments · Fixed by #24799
Labels
bug

Comments

@willemdh
Copy link

willemdh commented Nov 4, 2020
edited
Loading

panw.panos dataset's event.type field is populated with the value 'denied' twice.

Elastic 7.9.2

image

https://discuss.elastic.co/t/siem-rule-override-not-working-as-expected/253933/4

In /usr/share/filebeat/module/panw/panos/ingest/pipeline.yml I can find:

 - append:
     field: event.type
     value:
       - denied
       - connection
     if: 'ctx?._temp_?.message_subtype == "deny"'

 - append:
     field: event.type
     value: denied
     if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)"

So my guess is that the first block should possibly be removed? And the second block should maybe add connection too?
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 4, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 4, 2020
@jamiehynds jamiehynds added the bug label Nov 4, 2020
@willemdh willemdh mentioned this issue Dec 17, 2020
Closed
@legoguy1000
Copy link
Contributor

This should be an easy fix

@legoguy1000 legoguy1000 mentioned this issue Mar 28, 2021
Merged
6 tasks
leehinman pushed a commit to legoguy1000/beats that referenced this issue Mar 30, 2021
@legoguy1000 @leehinman
elastic#22413: Prevented duplicates in event.*
68ee6e9 
elastic#22748: Parsed panos logs for virtual system
leehinman added a commit that referenced this issue Mar 30, 2021
@legoguy1000 @leehinman
[Filebeat] Update PanOS parsing and ingest pipeline (#24799)
c94a8f8 
PanOS Updates

- prevent duplicates in event.*
- add virtual system field

Closes #22413
Closes #22748

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
@leehinman leehinman mentioned this issue Mar 30, 2021
Merged
6 tasks
leehinman pushed a commit to leehinman/beats that referenced this issue Mar 30, 2021
@legoguy1000 @leehinman
[Filebeat] Update PanOS parsing and ingest pipeline (elastic#24799)
9601ecd 
PanOS Updates

- prevent duplicates in event.*
- add virtual system field

Closes elastic#22413
Closes elastic#22748

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit c94a8f8)
@leehinman leehinman mentioned this issue Mar 30, 2021
Merged
6 tasks
leehinman pushed a commit to leehinman/beats that referenced this issue Mar 30, 2021
@legoguy1000 @leehinman
[Filebeat] Update PanOS parsing and ingest pipeline (elastic#24799)
5794a7f 
PanOS Updates

- prevent duplicates in event.*
- add virtual system field

Closes elastic#22413
Closes elastic#22748

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit c94a8f8)
leehinman added a commit that referenced this issue Mar 30, 2021
@leehinman @legoguy1000
[Filebeat] Update PanOS parsing and ingest pipeline (#24799) (#24858)
328e7ef 
PanOS Updates

- prevent duplicates in event.*
- add virtual system field

Closes #22413
Closes #22748

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit c94a8f8)

Co-authored-by: Alex Resnick <adr8292@gmail.com>
leehinman added a commit that referenced this issue Mar 30, 2021
@leehinman @legoguy1000
[Filebeat] Update PanOS parsing and ingest pipeline (#24799) (#24857)
3788227 
PanOS Updates

- prevent duplicates in event.*
- add virtual system field

Closes #22413
Closes #22748

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit c94a8f8)

Co-authored-by: Alex Resnick <adr8292@gmail.com>
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@leehinman @legoguy1000
[Filebeat] Update PanOS parsing and ingest pipeline (elastic#24799) (e…
7bb2d0c 
…lastic#24858)

PanOS Updates

- prevent duplicates in event.*
- add virtual system field

Closes elastic#22413
Closes elastic#22748

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit 1d67812)

Co-authored-by: Alex Resnick <adr8292@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] Update PanOS parsing and ingest pipeline legoguy1000/beats
4 participants
@willemdh @legoguy1000 @elasticmachine @jamiehynds