elastic · leehinman · Sep 15, 2020 · Sep 2, 2020 · Sep 2, 2020 · Sep 15, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -563,6 +563,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve Santa module with `x509` ECS mappings {pull}20976[20976]
 - Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973]
 - Added new module for Zoom webhooks {pull}20414[20414]
+- Add type and sub_type to panw panos fileset {pull}20912[20912]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -96109,6 +96109,20 @@ type: keyword
 
 --
 
+*`panw.panos.type`*::
++
+--
+Specifies the type of the log
+
+--
+
+*`panw.panos.sub_type`*::
++
+--
+Specifies the sub type of the log
+
+--
+
 [[exported-fields-postgresql]]
 == PostgreSQL fields
 

diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go
diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -136,3 +136,9 @@
       type: keyword
       description: >-
         Action taken for the session.
+    - name: type
+      description: >-
+        Specifies the type of the log
+    - name: sub_type
+      description: >-
+        Specifies the sub type of the log
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -35,17 +35,18 @@ processors:
   - extract_array:
       field: csv
       overwrite_keys: true
+      omit_empty: true
       mappings:
         event.created: 1
         observer.serial_number: 2
-        _temp_.message_type: 3
-        _temp_.message_subtype: 4
+        panw.panos.type: 3
+        panw.panos.sub_type: 4
         _temp_.generated_time: 6
 
   - extract_array:
       when:
         equals:
-          _temp_.message_type: TRAFFIC
+          panw.panos.type: TRAFFIC
       field: csv
       overwrite_keys: true
       omit_empty: true
@@ -107,7 +108,7 @@ processors:
   - extract_array:
       when:
        equals:
-          _temp_.message_type: THREAT
+          panw.panos.type: THREAT
       field: csv
       omit_empty: true
       overwrite_keys: true

diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -134,72 +134,72 @@ processors:
  - set:
      field: network.direction
      value: inbound
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"'
  - set:
      field: network.direction
      value: outbound
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
  - set:
      field: network.direction
      value: internal
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"'
  - set:
      field: network.direction
      value: external
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"'
  - set:
      field: network.direction
      value: unknown
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))'
 
 # Set network.direction from threat direction (Threat logs).
  - set:
      field: network.direction
      value: inbound
-     if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
+     if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
 
  - set:
      field: network.direction
      value: outbound
-     if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
+     if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
 
  - set:
      field: network.direction
      value: unknown
-     if: 'ctx?._temp_?.message_type == "THREAT" && ctx?.network?.direction == null'
+     if: 'ctx?.panw?.panos?.type == "THREAT" && ctx?.network?.direction == null'
 
 # Set network.type for TRAFFIC.
  - set:
      field: network.type
      value: 'ipv4'
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
  - set:
      field: network.type
      value: 'ipv6'
-     if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'
 
   # Set event.category depending on log type.
  - set:
      field: event.kind
      value: event
-     if: 'ctx?._temp_?.message_type == "TRAFFIC"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
  - append:
      field: event.category
      value:
        - network_traffic
        - network
-     if: 'ctx?._temp_?.message_type == "TRAFFIC"'
+     if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
  - set:
      field: event.kind
      value: alert
-     if: 'ctx?._temp_?.message_type == "THREAT"'
+     if: 'ctx?.panw?.panos?.type == "THREAT"'
  - append:
      field: event.category
      value:
        - security_threat
        - intrusion_detection
        - network
-     if: 'ctx?._temp_?.message_type == "THREAT"'
+     if: 'ctx?.panw?.panos?.type == "THREAT"'
  - append:
      field: event.type
      value: allowed
@@ -217,89 +217,89 @@ processors:
  - set:
      field: event.action
      value: flow_started
-     if: 'ctx?._temp_?.message_subtype == "start"'
+     if: 'ctx?.panw?.panos?.sub_type == "start"'
  - append:
      field: event.type
      value:
        - start
        - connection
-     if: 'ctx?._temp_?.message_subtype == "start"'
+     if: 'ctx?.panw?.panos?.sub_type == "start"'
  - set:
      field: event.action
      value: flow_terminated
-     if: 'ctx?._temp_?.message_subtype == "end"'
+     if: 'ctx?.panw?.panos?.sub_type == "end"'
  - append:
      field: event.type
      value:
        - end
        - connection
-     if: 'ctx?._temp_?.message_subtype == "end"'
+     if: 'ctx?.panw?.panos?.sub_type == "end"'
  - set:
      field: event.action
      value: flow_dropped
-     if: 'ctx?._temp_?.message_subtype == "drop"'
+     if: 'ctx?.panw?.panos?.sub_type == "drop"'
  - append:
      field: event.type
      value:
        - denied
        - connection
-     if: 'ctx?._temp_?.message_subtype == "drop"'
+     if: 'ctx?.panw?.panos?.sub_type == "drop"'
  - set:
      field: event.action
      value: flow_denied
-     if: 'ctx?._temp_?.message_subtype == "deny"'
+     if: 'ctx?.panw?.panos?.sub_type == "deny"'
  - append:
      field: event.type
      value:
        - denied
        - connection
-     if: 'ctx?._temp_?.message_subtype == "deny"'
+     if: 'ctx?.panw?.panos?.sub_type == "deny"'
 
 # event.action for threat logs.
  - set:
      field: event.action
      value: data_match
-     if: 'ctx?._temp_?.message_subtype == "data"'
+     if: 'ctx?.panw?.panos?.sub_type == "data"'
  - set:
      field: event.action
      value: file_match
-     if: 'ctx?._temp_?.message_subtype == "file"'
+     if: 'ctx?.panw?.panos?.sub_type == "file"'
  - set:
      field: event.action
      value: flood_detected
-     if: 'ctx?._temp_?.message_subtype == "flood"'
+     if: 'ctx?.panw?.panos?.sub_type == "flood"'
  - set:
      field: event.action
      value: packet_attack
-     if: 'ctx?._temp_?.message_subtype == "packet"'
+     if: 'ctx?.panw?.panos?.sub_type == "packet"'
  - set:
      field: event.action
      value: scan_detected
-     if: 'ctx?._temp_?.message_subtype == "scan"'
+     if: 'ctx?.panw?.panos?.sub_type == "scan"'
  - set:
      field: event.action
      value: spyware_detected
-     if: 'ctx?._temp_?.message_subtype == "spyware"'
+     if: 'ctx?.panw?.panos?.sub_type == "spyware"'
  - set:
      field: event.action
      value: url_filtering
-     if: 'ctx?._temp_?.message_subtype == "url"'
+     if: 'ctx?.panw?.panos?.sub_type == "url"'
  - set:
      field: event.action
      value: virus_detected
-     if: 'ctx?._temp_?.message_subtype == "virus"'
+     if: 'ctx?.panw?.panos?.sub_type == "virus"'
  - set:
      field: event.action
      value: exploit_detected
-     if: 'ctx?._temp_?.message_subtype == "vulnerability"'
+     if: 'ctx?.panw?.panos?.sub_type == "vulnerability"'
  - set:
      field: event.action
      value: wildfire_verdict
-     if: 'ctx?._temp_?.message_subtype == "wildfire"'
+     if: 'ctx?.panw?.panos?.sub_type == "wildfire"'
  - set:
      field: event.action
      value: wildfire_virus_detected
-     if: 'ctx?._temp_?.message_subtype == "wildfire-virus"'
+     if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"'
 
 
 # Set numeric log.level from event.severity.