PANW: Use geo.name instead of geo.country_iso_code (elastic#14082)

PANW's PAN-OS logs contain source and destination location fields defined as "source country or internal region for private addresses". These were being copied into source.geo.country_iso_code which caused problems as they contain non-standard values. This patch updates the module to copy those fields into source.geo.name which is the right free-form field to use. Fixes elastic#13272
adriansr · Oct 16, 2019 · 06edbde · 06edbde
1 parent a98dc31
commit 06edbde
Show file tree

Hide file tree

Showing 7 changed files with 371 additions and 185 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -169,6 +169,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix missing netflow fields in index template. {issue}13768[13768] {pull}13914[13914]
 - Fix cisco module's asa and ftd filesets parsing of domain names where an IP address is expected. {issue}14034[14034]
 - Fixed increased memory usage with large files when multiline pattern does not match. {issue}14068[14068]
+- panw module: Use geo.name instead of geo.country_iso_code for free-form location. {issue}13272[13272]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/modules/panw.asciidoc b/filebeat/docs/modules/panw.asciidoc
@@ -109,8 +109,8 @@ in ECS that are added under the `panw.panos` prefix:
 | Category |  | panw.panos.url.category
 | Severity | log.level |
 | Direction | network.direction |
-| Source Location | source.geo.country_iso_code |
-| Destination Location | destination.geo.country_iso_code |
+| Source Location | source.geo.name |
+| Destination Location | destination.geo.name |
 | PCAP_id |  | panw.panos.network.pcap_id
 | Filedigest |  | panw.panos.file.hash
 | User Agent | user_agent.original |

diff --git a/x-pack/filebeat/module/panw/_meta/docs.asciidoc b/x-pack/filebeat/module/panw/_meta/docs.asciidoc
@@ -104,8 +104,8 @@ in ECS that are added under the `panw.panos` prefix:
 | Category |  | panw.panos.url.category
 | Severity | log.level |
 | Direction | network.direction |
-| Source Location | source.geo.country_iso_code |
-| Destination Location | destination.geo.country_iso_code |
+| Source Location | source.geo.name |
+| Destination Location | destination.geo.name |
 | PCAP_id |  | panw.panos.network.pcap_id
 | Filedigest |  | panw.panos.file.hash
 | User Agent | user_agent.original |

diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -130,8 +130,8 @@ processors:
         panw.panos.url.category: 33
         log.level: 34
         _temp_.direction: 35
-        source.geo.country_iso_code: 38
-        destination.geo.country_iso_code: 39
+        _temp_.srcloc: 38
+        _temp_.dstloc: 39
         panw.panos.network.pcap_id: 42
         panw.panos.file.hash: 43
         user_agent.original: 46

diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -360,6 +360,18 @@ processors:
      target_field: destination.as.organization.name
      ignore_missing: true
 
+# Set source|destination.geo.name from panw's srcloc|dstloc
+ - rename:
+     if: 'ctx.source?.geo?.name == null'
+     field: _temp_.srcloc
+     target_field: source.geo.name
+     ignore_missing: true
+ - rename:
+     if: 'ctx.destination?.geo?.name == null'
+     field: _temp_.dstloc
+     target_field: destination.geo.name
+     ignore_missing: true
+
 # Append NAT community_id to network.community_id
  - append:
      if: 'ctx?.panw?.panos?.network?.nat?.community_id != null && ctx.panw.panos.network.nat.community_id != ctx?.network?.community_id'