diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml index 12e2eb7d5f02..bca4b1645aad 100644 --- a/packages/panw/changelog.yml +++ b/packages/panw/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.24.4" + changes: + - description: Make / in url optional + type: bugfix + link: https://github.com/elastic/integrations/pull/9688 - version: "3.24.3" changes: - description: Allow apostrophes in usernames diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log index 3a66e5a720d4..30c19c3a8077 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log @@ -196,3 +196,9 @@ Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/1 Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,x-fwd-for: 10.10.10.50,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_domainname\\src-user#name,dst_domainname\\dst-user#name,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_domain..name\\src-user#name,dst_domain..name\\dst-user#name,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Apr 9 16:57:37 PA5250 1,2024/04/09 16:57:36,123456789012,THREAT,url,2561,2024/04/09 16:57:36,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,"keyvalueservice.icloud.com",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," CUC_Apple,online-storage-and-backup,low-risk",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,_reportid +Apr 9 16:57:37 PA5250 1,2024/04/09 16:57:36,123456789012,THREAT,url,2561,2024/04/09 16:57:36,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,"keyvalueservice.icloud.com?q=30",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," CUC_Apple,online-storage-and-backup,low-risk",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,_reportid +Apr 9 16:57:37 PA5250 1,2024/04/09 16:57:36,123456789012,THREAT,url,2561,2024/04/09 16:57:36,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,"keyvalueservice.icloud.com:443?q=30",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," CUC_Apple,online-storage-and-backup,low-risk",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,_reportid +Apr 9 16:57:37 PA5250 1,2024/04/09 11:00:29,123456789012,THREAT,url,2561,2024/04/09 11:00:29,10.154.247.224,192.168.4.4,192.168.72.187,192.168.4.4,A_ANY_L7A_surf-Good internet appl PUBNET-Open Internet,,,ssl,vsys1,Open Internet,Internet-PUBNET,ae1.898,ethernet1/16.451,Panorama-Elastic,2024/04/09 11:00:29,2552174,1,57241,443,6226,443,0x403400,tcp,block-url,"dns.google",(9999),encrypted-dns,informational,client-to-server,7341108846081879882,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"encrypted-dns,computer-and-internet-info,low-risk",f27e631a-d0b9-4d01-bdfa-e955076d9a21,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T11:00:29.812+02:00,,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,_reportid +Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,url,2561,2024/04/09 20:43:29,192.168.72.187,192.168.110.104,0.0.0.0,0.0.0.0,A_SRC_ANY_DMZ-Public-to-Internet,,,google-base,vsys1,Internet,Internet,ethernet1/15.451,ae2.497,Panorama-Elastic,2024/04/09 20:43:29,3853754,1,12235,80,0,0,0xb000,tcp,alert,"www.google.com/",(9999),search-engines,informational,client-to-server,7341108846134004297,0x8000000000000000,Belgium,United States,,text/html,0,,,1,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," CUC_OCP4_worker-nodes,search-engines,low-risk",a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:30.719+02:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,google-base,no,no,_reportid +Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,url,2561,2024/04/09 20:43:29,192.168.72.187,192.168.110.104,0.0.0.0,0.0.0.0,A_SRC_ANY_DMZ-Public-to-Internet,,,google-base,vsys1,Internet,Internet,ethernet1/15.451,ae2.497,Panorama-Elastic,2024/04/09 20:43:29,3853754,1,12235,80,0,0,0xb000,tcp,alert,"www.google.com:80/",(9999),search-engines,informational,client-to-server,7341108846134004297,0x8000000000000000,Belgium,United States,,text/html,0,,,1,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," CUC_OCP4_worker-nodes,search-engines,low-risk",a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:30.719+02:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,google-base,no,no,_reportid diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json index 0257f1f8a978..28fa410153dc 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json @@ -34173,6 +34173,1024 @@ "domain": "src_domain..name", "name": "src-user#name" } + }, + { + "@timestamp": "2024-04-09T16:57:36.000+09:30", + "destination": { + "domain": "keyvalueservice.icloud.com", + "geo": { + "name": "United States" + }, + "ip": "192.168.236.67", + "nat": { + "ip": "192.168.236.67", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2024-04-09T16:57:36.000+09:30", + "kind": "alert", + "original": "Apr 9 16:57:37 PA5250 1,2024/04/09 16:57:36,123456789012,THREAT,url,2561,2024/04/09 16:57:36,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,\"keyvalueservice.icloud.com\",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_Apple,online-storage-and-backup,low-risk\",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,_reportid", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "decrypted_traffic": true, + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,\"keyvalueservice.icloud.com\",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_Apple,online-storage-and-backup,low-risk\",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,_reportid", + "network": { + "application": "ssl", + "community_id": [ + "1:9Cf5Ly+A2jEi3GenJqNWP53o5W8=", + "1:1yhJbpN5vQ1jIWijjHlbSiXB0a4=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ae2.497" + }, + "zone": "Internet" + }, + "hostname": "AC-PA5250", + "ingress": { + "interface": { + "name": "ae1.1324" + }, + "zone": "IOT" + }, + "product": "PAN-OS", + "serial_number": "123456789012", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x8000000000000000", + "application": { + "category": "networking", + "characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use", + "is_saas": "no", + "is_sanctioned": "no", + "risk_level": 4, + "sub_category": "encrypted-tunnel", + "technology": "browser-based", + "tunneled": "ssl" + }, + "cloud_report": { + "id": "_reportid" + }, + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "33874993", + "high_resolution_timestamp": "2024-04-10T00:27:37.089+09:30", + "http2_connection": "0", + "imsi": "0", + "log_profile": "Panorama-Elastic", + "logged_time": "2024-04-09T16:57:36.000+09:30", + "network": { + "nat": { + "community_id": "1:1yhJbpN5vQ1jIWijjHlbSiXB0a4=" + } + }, + "parent_session": { + "id": "0" + }, + "partial_hash": "0", + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "A_SRC_L7D_Kassasystemen-2-Internet", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7341108846123879261", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "online-storage-and-backup" + }, + "url_category_list": [ + "CUC_Apple", + "online-storage-and-backup", + "low-risk" + ], + "url_idx": "0", + "virtual_sys": "vsys1", + "vsys_name": "Core", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "AC-PA5250" + ], + "ip": [ + "10.84.12.242", + "192.168.236.67", + "192.168.26.150" + ] + }, + "rule": { + "name": "A_SRC_L7D_Kassasystemen-2-Internet", + "uuid": "608460e0-3b24-4bef-a676-96027545ae7d" + }, + "source": { + "geo": { + "name": "10.0.0.0-10.255.255.255" + }, + "ip": "10.84.12.242", + "nat": { + "ip": "192.168.26.150", + "port": 29394 + }, + "port": 54421 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "keyvalueservice.icloud.com", + "original": "keyvalueservice.icloud.com" + } + }, + { + "@timestamp": "2024-04-09T16:57:36.000+09:30", + "destination": { + "domain": "keyvalueservice.icloud.com", + "geo": { + "name": "United States" + }, + "ip": "192.168.236.67", + "nat": { + "ip": "192.168.236.67", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2024-04-09T16:57:36.000+09:30", + "kind": "alert", + "original": "Apr 9 16:57:37 PA5250 1,2024/04/09 16:57:36,123456789012,THREAT,url,2561,2024/04/09 16:57:36,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,\"keyvalueservice.icloud.com?q=30\",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_Apple,online-storage-and-backup,low-risk\",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,_reportid", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "decrypted_traffic": true, + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,\"keyvalueservice.icloud.com?q=30\",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_Apple,online-storage-and-backup,low-risk\",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,_reportid", + "network": { + "application": "ssl", + "community_id": [ + "1:9Cf5Ly+A2jEi3GenJqNWP53o5W8=", + "1:1yhJbpN5vQ1jIWijjHlbSiXB0a4=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ae2.497" + }, + "zone": "Internet" + }, + "hostname": "AC-PA5250", + "ingress": { + "interface": { + "name": "ae1.1324" + }, + "zone": "IOT" + }, + "product": "PAN-OS", + "serial_number": "123456789012", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x8000000000000000", + "application": { + "category": "networking", + "characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use", + "is_saas": "no", + "is_sanctioned": "no", + "risk_level": 4, + "sub_category": "encrypted-tunnel", + "technology": "browser-based", + "tunneled": "ssl" + }, + "cloud_report": { + "id": "_reportid" + }, + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "33874993", + "high_resolution_timestamp": "2024-04-10T00:27:37.089+09:30", + "http2_connection": "0", + "imsi": "0", + "log_profile": "Panorama-Elastic", + "logged_time": "2024-04-09T16:57:36.000+09:30", + "network": { + "nat": { + "community_id": "1:1yhJbpN5vQ1jIWijjHlbSiXB0a4=" + } + }, + "parent_session": { + "id": "0" + }, + "partial_hash": "0", + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "A_SRC_L7D_Kassasystemen-2-Internet", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7341108846123879261", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "online-storage-and-backup" + }, + "url_category_list": [ + "CUC_Apple", + "online-storage-and-backup", + "low-risk" + ], + "url_idx": "0", + "virtual_sys": "vsys1", + "vsys_name": "Core", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "AC-PA5250" + ], + "ip": [ + "10.84.12.242", + "192.168.236.67", + "192.168.26.150" + ] + }, + "rule": { + "name": "A_SRC_L7D_Kassasystemen-2-Internet", + "uuid": "608460e0-3b24-4bef-a676-96027545ae7d" + }, + "source": { + "geo": { + "name": "10.0.0.0-10.255.255.255" + }, + "ip": "10.84.12.242", + "nat": { + "ip": "192.168.26.150", + "port": 29394 + }, + "port": 54421 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "keyvalueservice.icloud.com", + "original": "keyvalueservice.icloud.com?q=30", + "query": "q=30" + } + }, + { + "@timestamp": "2024-04-09T16:57:36.000+09:30", + "destination": { + "geo": { + "name": "United States" + }, + "ip": "192.168.236.67", + "nat": { + "ip": "192.168.236.67", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2024-04-09T16:57:36.000+09:30", + "kind": "alert", + "original": "Apr 9 16:57:37 PA5250 1,2024/04/09 16:57:36,123456789012,THREAT,url,2561,2024/04/09 16:57:36,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,\"keyvalueservice.icloud.com:443?q=30\",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_Apple,online-storage-and-backup,low-risk\",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,_reportid", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "decrypted_traffic": true, + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_L7D_Kassasystemen-2-Internet,,,ssl,vsys1,IOT,Internet,ae1.1324,ae2.497,Panorama-Elastic,2024/04/09 16:57:36,33874993,1,54421,443,29394,443,0x403400,tcp,block-url,\"keyvalueservice.icloud.com:443?q=30\",(9999),online-storage-and-backup,informational,client-to-server,7341108846123879261,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_Apple,online-storage-and-backup,low-risk\",608460e0-3b24-4bef-a676-96027545ae7d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T16:57:37.089+02:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,_reportid", + "network": { + "application": "ssl", + "community_id": [ + "1:9Cf5Ly+A2jEi3GenJqNWP53o5W8=", + "1:1yhJbpN5vQ1jIWijjHlbSiXB0a4=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ae2.497" + }, + "zone": "Internet" + }, + "hostname": "AC-PA5250", + "ingress": { + "interface": { + "name": "ae1.1324" + }, + "zone": "IOT" + }, + "product": "PAN-OS", + "serial_number": "123456789012", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x8000000000000000", + "application": { + "category": "networking", + "characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use", + "is_saas": "no", + "is_sanctioned": "no", + "risk_level": 4, + "sub_category": "encrypted-tunnel", + "technology": "browser-based", + "tunneled": "ssl" + }, + "cloud_report": { + "id": "_reportid" + }, + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "33874993", + "high_resolution_timestamp": "2024-04-10T00:27:37.089+09:30", + "http2_connection": "0", + "imsi": "0", + "log_profile": "Panorama-Elastic", + "logged_time": "2024-04-09T16:57:36.000+09:30", + "network": { + "nat": { + "community_id": "1:1yhJbpN5vQ1jIWijjHlbSiXB0a4=" + } + }, + "parent_session": { + "id": "0" + }, + "partial_hash": "0", + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "A_SRC_L7D_Kassasystemen-2-Internet", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7341108846123879261", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "online-storage-and-backup" + }, + "url_category_list": [ + "CUC_Apple", + "online-storage-and-backup", + "low-risk" + ], + "url_idx": "0", + "virtual_sys": "vsys1", + "vsys_name": "Core", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "AC-PA5250" + ], + "ip": [ + "10.84.12.242", + "192.168.236.67", + "192.168.26.150" + ] + }, + "rule": { + "name": "A_SRC_L7D_Kassasystemen-2-Internet", + "uuid": "608460e0-3b24-4bef-a676-96027545ae7d" + }, + "source": { + "geo": { + "name": "10.0.0.0-10.255.255.255" + }, + "ip": "10.84.12.242", + "nat": { + "ip": "192.168.26.150", + "port": 29394 + }, + "port": 54421 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "keyvalueservice.icloud.com", + "original": "keyvalueservice.icloud.com:443?q=30", + "port": 443, + "query": "q=30" + } + }, + { + "@timestamp": "2024-04-09T11:00:29.000+09:30", + "destination": { + "domain": "dns.google", + "geo": { + "name": "United States" + }, + "ip": "192.168.4.4", + "nat": { + "ip": "192.168.4.4", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2024-04-09T11:00:29.000+09:30", + "kind": "alert", + "original": "Apr 9 16:57:37 PA5250 1,2024/04/09 11:00:29,123456789012,THREAT,url,2561,2024/04/09 11:00:29,10.154.247.224,192.168.4.4,192.168.72.187,192.168.4.4,A_ANY_L7A_surf-Good internet appl PUBNET-Open Internet,,,ssl,vsys1,Open Internet,Internet-PUBNET,ae1.898,ethernet1/16.451,Panorama-Elastic,2024/04/09 11:00:29,2552174,1,57241,443,6226,443,0x403400,tcp,block-url,\"dns.google\",(9999),encrypted-dns,informational,client-to-server,7341108846081879882,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\"encrypted-dns,computer-and-internet-info,low-risk\",f27e631a-d0b9-4d01-bdfa-e955076d9a21,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T11:00:29.812+02:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,_reportid", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "decrypted_traffic": true, + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "10.154.247.224,192.168.4.4,192.168.72.187,192.168.4.4,A_ANY_L7A_surf-Good internet appl PUBNET-Open Internet,,,ssl,vsys1,Open Internet,Internet-PUBNET,ae1.898,ethernet1/16.451,Panorama-Elastic,2024/04/09 11:00:29,2552174,1,57241,443,6226,443,0x403400,tcp,block-url,\"dns.google\",(9999),encrypted-dns,informational,client-to-server,7341108846081879882,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\"encrypted-dns,computer-and-internet-info,low-risk\",f27e631a-d0b9-4d01-bdfa-e955076d9a21,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T11:00:29.812+02:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,_reportid", + "network": { + "application": "ssl", + "community_id": [ + "1:/sBldE1YfpiqQJwZ/AK1gAVSeLg=", + "1:7A13ya6Oyf5hTplW1WqJoG/9Sms=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/16.451" + }, + "zone": "Internet-PUBNET" + }, + "hostname": "AC-PA5250", + "ingress": { + "interface": { + "name": "ae1.898" + }, + "zone": "Open Internet" + }, + "product": "PAN-OS", + "serial_number": "123456789012", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x8000000000000000", + "application": { + "category": "networking", + "characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use", + "is_saas": "no", + "is_sanctioned": "no", + "risk_level": 4, + "sub_category": "encrypted-tunnel", + "technology": "browser-based", + "tunneled": "ssl" + }, + "cloud_report": { + "id": "_reportid" + }, + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "2552174", + "high_resolution_timestamp": "2024-04-09T18:30:29.812+09:30", + "http2_connection": "0", + "imsi": "0", + "log_profile": "Panorama-Elastic", + "logged_time": "2024-04-09T11:00:29.000+09:30", + "network": { + "nat": { + "community_id": "1:7A13ya6Oyf5hTplW1WqJoG/9Sms=" + } + }, + "parent_session": { + "id": "0" + }, + "partial_hash": "0", + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "A_ANY_L7A_surf-Good internet appl PUBNET-Open Internet", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7341108846081879882", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "encrypted-dns" + }, + "url_category_list": [ + "encrypted-dns", + "computer-and-internet-info", + "low-risk" + ], + "url_idx": "0", + "virtual_sys": "vsys1", + "vsys_name": "Core", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "AC-PA5250" + ], + "ip": [ + "10.154.247.224", + "192.168.4.4", + "192.168.72.187" + ] + }, + "rule": { + "name": "A_ANY_L7A_surf-Good internet appl PUBNET-Open Internet", + "uuid": "f27e631a-d0b9-4d01-bdfa-e955076d9a21" + }, + "source": { + "geo": { + "name": "10.0.0.0-10.255.255.255" + }, + "ip": "10.154.247.224", + "nat": { + "ip": "192.168.72.187", + "port": 6226 + }, + "port": 57241 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "dns.google", + "original": "dns.google" + } + }, + { + "@timestamp": "2024-04-09T20:43:29.000+09:30", + "destination": { + "domain": "www.google.com", + "geo": { + "name": "United States" + }, + "ip": "192.168.110.104", + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2024-04-09T20:43:29.000+09:30", + "kind": "alert", + "original": "Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,url,2561,2024/04/09 20:43:29,192.168.72.187,192.168.110.104,0.0.0.0,0.0.0.0,A_SRC_ANY_DMZ-Public-to-Internet,,,google-base,vsys1,Internet,Internet,ethernet1/15.451,ae2.497,Panorama-Elastic,2024/04/09 20:43:29,3853754,1,12235,80,0,0,0xb000,tcp,alert,\"www.google.com/\",(9999),search-engines,informational,client-to-server,7341108846134004297,0x8000000000000000,Belgium,United States,,text/html,0,,,1,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_OCP4_worker-nodes,search-engines,low-risk\",a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:30.719+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,google-base,no,no,_reportid", + "outcome": "success", + "severity": 5, + "timezone": "+09:30", + "type": [ + "allowed" + ] + }, + "http": { + "request": { + "method": "get" + } + }, + "labels": { + "container_page": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.72.187,192.168.110.104,0.0.0.0,0.0.0.0,A_SRC_ANY_DMZ-Public-to-Internet,,,google-base,vsys1,Internet,Internet,ethernet1/15.451,ae2.497,Panorama-Elastic,2024/04/09 20:43:29,3853754,1,12235,80,0,0,0xb000,tcp,alert,\"www.google.com/\",(9999),search-engines,informational,client-to-server,7341108846134004297,0x8000000000000000,Belgium,United States,,text/html,0,,,1,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_OCP4_worker-nodes,search-engines,low-risk\",a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:30.719+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,google-base,no,no,_reportid", + "network": { + "application": "google-base", + "community_id": "1:MnImcU1JEPf3qnDIkOLE6/sgyPk=", + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ae2.497" + }, + "zone": "Internet" + }, + "hostname": "AC-PA5250", + "ingress": { + "interface": { + "name": "ethernet1/15.451" + }, + "zone": "Internet" + }, + "product": "PAN-OS", + "serial_number": "123456789012", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "alert", + "action_flags": "0x8000000000000000", + "application": { + "category": "general-internet", + "characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use", + "is_saas": "no", + "is_sanctioned": "no", + "risk_level": 4, + "sub_category": "internet-utility", + "technology": "browser-based", + "tunneled": "google-base" + }, + "cloud_report": { + "id": "_reportid" + }, + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "3853754", + "high_resolution_timestamp": "2024-04-10T04:13:30.719+09:30", + "http2_connection": "0", + "http_content_type": "text/html", + "imsi": "0", + "log_profile": "Panorama-Elastic", + "logged_time": "2024-04-09T20:43:29.000+09:30", + "parent_session": { + "id": "0" + }, + "partial_hash": "0", + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "A_SRC_ANY_DMZ-Public-to-Internet", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7341108846134004297", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "search-engines" + }, + "url_category_list": [ + "CUC_OCP4_worker-nodes", + "search-engines", + "low-risk" + ], + "url_idx": "1", + "virtual_sys": "vsys1", + "vsys_name": "Core", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "AC-PA5250" + ], + "ip": [ + "192.168.72.187", + "192.168.110.104" + ] + }, + "rule": { + "name": "A_SRC_ANY_DMZ-Public-to-Internet", + "uuid": "a76c7b1d-5e84-48f5-9498-a9d10ffc959c" + }, + "source": { + "geo": { + "name": "Belgium" + }, + "ip": "192.168.72.187", + "port": 12235 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.google.com", + "original": "www.google.com/", + "path": "/" + } + }, + { + "@timestamp": "2024-04-09T20:43:29.000+09:30", + "destination": { + "geo": { + "name": "United States" + }, + "ip": "192.168.110.104", + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2024-04-09T20:43:29.000+09:30", + "kind": "alert", + "original": "Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,url,2561,2024/04/09 20:43:29,192.168.72.187,192.168.110.104,0.0.0.0,0.0.0.0,A_SRC_ANY_DMZ-Public-to-Internet,,,google-base,vsys1,Internet,Internet,ethernet1/15.451,ae2.497,Panorama-Elastic,2024/04/09 20:43:29,3853754,1,12235,80,0,0,0xb000,tcp,alert,\"www.google.com:80/\",(9999),search-engines,informational,client-to-server,7341108846134004297,0x8000000000000000,Belgium,United States,,text/html,0,,,1,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_OCP4_worker-nodes,search-engines,low-risk\",a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:30.719+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,google-base,no,no,_reportid", + "outcome": "success", + "severity": 5, + "timezone": "+09:30", + "type": [ + "allowed" + ] + }, + "http": { + "request": { + "method": "get" + } + }, + "labels": { + "container_page": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.72.187,192.168.110.104,0.0.0.0,0.0.0.0,A_SRC_ANY_DMZ-Public-to-Internet,,,google-base,vsys1,Internet,Internet,ethernet1/15.451,ae2.497,Panorama-Elastic,2024/04/09 20:43:29,3853754,1,12235,80,0,0,0xb000,tcp,alert,\"www.google.com:80/\",(9999),search-engines,informational,client-to-server,7341108846134004297,0x8000000000000000,Belgium,United States,,text/html,0,,,1,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\" CUC_OCP4_worker-nodes,search-engines,low-risk\",a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:30.719+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,google-base,no,no,_reportid", + "network": { + "application": "google-base", + "community_id": "1:MnImcU1JEPf3qnDIkOLE6/sgyPk=", + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ae2.497" + }, + "zone": "Internet" + }, + "hostname": "AC-PA5250", + "ingress": { + "interface": { + "name": "ethernet1/15.451" + }, + "zone": "Internet" + }, + "product": "PAN-OS", + "serial_number": "123456789012", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "alert", + "action_flags": "0x8000000000000000", + "application": { + "category": "general-internet", + "characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use", + "is_saas": "no", + "is_sanctioned": "no", + "risk_level": 4, + "sub_category": "internet-utility", + "technology": "browser-based", + "tunneled": "google-base" + }, + "cloud_report": { + "id": "_reportid" + }, + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "3853754", + "high_resolution_timestamp": "2024-04-10T04:13:30.719+09:30", + "http2_connection": "0", + "http_content_type": "text/html", + "imsi": "0", + "log_profile": "Panorama-Elastic", + "logged_time": "2024-04-09T20:43:29.000+09:30", + "parent_session": { + "id": "0" + }, + "partial_hash": "0", + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "A_SRC_ANY_DMZ-Public-to-Internet", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7341108846134004297", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "search-engines" + }, + "url_category_list": [ + "CUC_OCP4_worker-nodes", + "search-engines", + "low-risk" + ], + "url_idx": "1", + "virtual_sys": "vsys1", + "vsys_name": "Core", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "AC-PA5250" + ], + "ip": [ + "192.168.72.187", + "192.168.110.104" + ] + }, + "rule": { + "name": "A_SRC_ANY_DMZ-Public-to-Internet", + "uuid": "a76c7b1d-5e84-48f5-9498-a9d10ffc959c" + }, + "source": { + "geo": { + "name": "Belgium" + }, + "ip": "192.168.72.187", + "port": 12235 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.google.com", + "original": "www.google.com:80/", + "path": "/", + "port": 80 + } } ] } \ No newline at end of file diff --git a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml index e02cd8cded06..132cdf6fcb97 100644 --- a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml +++ b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml @@ -284,35 +284,51 @@ processors: # When the scheme of the URL is absent, this script parses the URL in `ctx.panw.panos.misc` into components namely # `url.original`, `url.domain`, `url.port`, `url.path`, `url.query`, `url.extension` - script: - if: "ctx.url?.scheme == null && ctx.panw?.panos?.sub_type == 'url' && (ctx.panw?.panos?.misc instanceof String) && (ctx.panw.panos.misc.contains('/'))" + if: "ctx.url?.scheme == null && ctx.panw?.panos?.sub_type == 'url' && ctx.panw?.panos?.misc instanceof String" lang: painless source: |- Map url = new HashMap(); String url_original = ctx.panw.panos.misc; + String domainPort = url_original; url.original = url_original; - int idxSlash = url_original.indexOf("/"); - String domainPort = url_original.substring(0, idxSlash); + + if (url_original.contains("/")) { + int idxSlash = url_original.indexOf("/"); + domainPort = url_original.substring(0, idxSlash); + String afterDomain = url_original.substring(idxSlash); + int idxQuery = afterDomain.indexOf("?"); + if (idxQuery == -1) { + url.path = afterDomain; + } + else { + url.path = afterDomain.substring(0, idxQuery); + url.query = afterDomain.substring(idxQuery + 1); + } + int idxExtn = url.path.indexOf("."); + if (idxExtn != -1) { + url.extension = url.path.substring(idxExtn+1); + } + } + else { + int idxQuery = url_original.indexOf("?"); + if (idxQuery != -1) { + domainPort = url_original.substring(0, idxQuery); + url.query = url_original.substring(idxQuery + 1); + } + } + if (domainPort.indexOf(":") != -1) { url.domain = domainPort.splitOnToken(":")[0]; - url.port = domainPort.splitOnToken(":")[1]; + try { + url.port = Long.parseLong(domainPort.splitOnToken(":")[1]); + } catch ( NumberFormatException e) { + } } else { url.domain = domainPort; ctx.destination.domain = domainPort; } - String afterDomain = url_original.substring(idxSlash); - int idxQuery = afterDomain.indexOf("?"); - if (idxQuery == -1) { - url.path = afterDomain; - } - else { - url.path = afterDomain.substring(0, idxQuery); - url.query = afterDomain.substring(idxQuery + 1); - } - int idxExtn = url.path.indexOf("."); - if (idxExtn != -1) { - url.extension = url.path.substring(idxExtn+1); - } + ctx.url = url; - set: diff --git a/packages/panw/data_stream/panos/fields/ecs.yml b/packages/panw/data_stream/panos/fields/ecs.yml index 289aeb31eb99..dca632db1165 100644 --- a/packages/panw/data_stream/panos/fields/ecs.yml +++ b/packages/panw/data_stream/panos/fields/ecs.yml @@ -264,6 +264,8 @@ name: url.query - external: ecs name: url.domain +- external: ecs + name: url.port - external: ecs name: user.email - external: ecs diff --git a/packages/panw/docs/README.md b/packages/panw/docs/README.md index 1ab8906abfa9..13c68802d0af 100644 --- a/packages/panw/docs/README.md +++ b/packages/panw/docs/README.md @@ -704,6 +704,7 @@ An example event for `panos` looks as following: | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | url.original.text | Multi-field of `url.original`. | match_only_text | | url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml index a8f8b47298be..8bab841f96b7 100644 --- a/packages/panw/manifest.yml +++ b/packages/panw/manifest.yml @@ -1,6 +1,6 @@ name: panw title: Palo Alto Next-Gen Firewall -version: "3.24.3" +version: "3.24.4" description: Collect logs from Palo Alto next-gen firewalls with Elastic Agent. type: integration format_version: "3.0.3"