Upgrade panw module to ecs 1.8 (elastic#23931)

leweafan · Feb 10, 2021 · 25aeea3 · 25aeea3
1 parent 60f6174
commit 25aeea3
Show file tree

Hide file tree

Showing 8 changed files with 190 additions and 752 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -839,6 +839,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Upgrade Zeek to ECS 1.8.0. {issue}23118[23118] {pull}23847[23847]
 - Updated azure module to ECS 1.8. {issue}23118[23118] {pull}23927[23927]
 - Update aws/s3access to ECS 1.8. {issue}23118[23118] {pull}23920[23920]
+- Upgrade panw module to ecs 1.8 {issue}23118[23118] {pull}23931[23931]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -209,4 +209,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -385,21 +385,25 @@ processors:
  - append:
      if: 'ctx?.source?.ip != null'
      field: related.ip
+     allow_duplicates: false
      value:
        - '{{source.ip}}'
  - append:
      if: 'ctx?.destination?.ip != null'
      field: related.ip
+     allow_duplicates: false
      value:
        - '{{destination.ip}}'
  - append:
      if: 'ctx?.source?.nat?.ip != null'
      field: related.ip
+     allow_duplicates: false
      value:
        - '{{source.nat.ip}}'
  - append:
      if: 'ctx?.destination?.nat?.ip != null'
      field: related.ip
+     allow_duplicates: false
      value:
        - '{{destination.nat.ip}}'
 
@@ -528,43 +532,51 @@ processors:
 
  - append:
      field: related.user
+     allow_duplicates: false
      value: "{{client.user.name}}"
      if: "ctx?.client?.user?.name != null"
 
  - append:
      field: related.user
+     allow_duplicates: false
      value: "{{source.user.name}}"
      if: "ctx?.source?.user?.name != null"
 
  - append:
      field: related.user
+     allow_duplicates: false
      value: "{{server.user.name}}"
      if: "ctx?.server?.user?.name != null"
 
  - append:
      field: related.user
+     allow_duplicates: false
      value: "{{destination.user.name}}"
      if: "ctx?.destination?.user?.name != null"
 
  - append:
      field: related.user
+     allow_duplicates: false
      value: "{{url.username}}"
      if: "ctx?.url?.username != null && ctx?.url?.username != ''"
      allow_duplicates: false
 
  - append:
      field: related.hash
+     allow_duplicates: false
      value: "{{panw.panos.file.hash}}"
      if: "ctx?.panw?.panos?.file?.hash != null"
 
  - append:
      field: related.hosts
+     allow_duplicates: false
      value: "{{observer.hostname}}"
      if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''"
      allow_duplicates: false
 
  - append:
      field: related.hosts
+     allow_duplicates: false
      value: "{{url.domain}}"
      if: "ctx?.url?.domain != null && ctx.url?.domain != ''"
      allow_duplicates: false

diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json
@@ -803,11 +803,9 @@
         "related.ip": [
             "192.168.0.2",
             "204.232.231.46",
-            "0.0.0.0",
             "0.0.0.0"
         ],
         "related.user": [
-            "crusher",
             "crusher"
         ],
         "rule.name": "rule1",