Merge pull request #15 from criblpacks/feature/6-pan10-parsers

Update parser fields to PAN OS 10.2

README.md

@@ -33,6 +33,9 @@ FW-.*,Etc/GMT+1
 
 ## Release Notes
 ---
+### Version 0.7.0 - 2022-03-10
+* Updates parser fields to PAN OS 10.2. All fields added in PAN OS 10 are removed from events by default.
+
 ### Version 0.6.3 - 2022-03-03
 * Adds Correlation event log pipeline.
 

default/pipelines/pan_config/conf.yml

@@ -108,6 +108,8 @@ functions:
         - devicegroup_level4
         - vsys_name
         - dvc_name
+        - dvc_group
+        - audit_comment
       remove:
         - future_use*
         - "*_time"

default/pipelines/pan_correlation/conf.yml

@@ -23,8 +23,7 @@ functions:
     conf:
       add:
         - name: host
-          value: _raw.match(/[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s([^\s]+)\s/)[1]
-            || host
+          value: _raw.match(/[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s([^\s]+)\s/)[1] || host
         - name: sourcetype
           value: "'pan:correlation'"
         - name: source
@@ -67,8 +66,7 @@ functions:
       srcField: _raw
       dstField: _time
       defaultTimezone: utc
-      timeExpression: "__tz ? (time.getTime() / 1000) + (__tz * 3600) : (time.getTime() /
-        1000)"
+      timeExpression: "__tz ? (time.getTime() / 1000) + (__tz * 3600) : (time.getTime() / 1000)"
       offset: 0
       maxLen: 150
       defaultTime: now

default/pipelines/pan_decryption/conf.yml

@@ -127,7 +127,7 @@ functions:
         - key_exchange_algorithm
         - encryption_algorithm
         - hash_algorithm
-        - rule
+        - policy_name
         - elliptic_curve
         - error_index
         - root_status
@@ -175,7 +175,26 @@ functions:
         - dest_mac
         - sequence_number
         - action_flags
+        - devicegroup_level1
+        - devicegroup_level2
+        - devicegroup_level3
+        - devicegroup_level4
+        - vsys_name
+        - device_name
+        - vsys_id
+        - app_subcategory
+        - app_category
+        - app_technology
+        - app_risk
+        - app_characteristic
+        - app_container
+        - app_saas
+        - app_sanctioned
       remove:
         - future_use*
         - "*_time"
         - timestamp
+        - dest_dvc_*
+        - src_dvc_*
+        - devicegroup_*
+        - app_*

default/pipelines/pan_globalprotect/conf.yml

@@ -104,7 +104,7 @@ functions:
         - private_ip
         - private_ipv6
         - host_id
-        - serial_number
+        - serialnumber
         - client_ver
         - client_os
         - client_os_ver

default/pipelines/pan_hipmatch/conf.yml

@@ -112,6 +112,11 @@ functions:
         - dvc_name
         - vsys_id
         - ipv6_system_address
+        - host_id
+        - serialnumber
+        - mac
+        - high_res_timestamp
       remove:
         - future_use*
         - "*_time"
+        - high_res_timestamp

default/pipelines/pan_system/conf.yml

@@ -115,10 +115,14 @@ functions:
         - devicegroup_level4
         - vsys_name
         - dvc_name
+        - future_use5
+        - future_use6
+        - high_res_timestamp
       remove:
         - future_use*
         - receive_time
         - generated_time
+        - high_res_timestamp
   - id: serde
     filter: "true"
     disabled: true

default/pipelines/pan_threat/conf.yml

@@ -155,6 +155,56 @@ functions:
         - tunnel_type
         - threat_category
         - content_version
+        - future_use6
+        - sctp_assoc_id
+        - payload_protocol_id
+        - http_headers
+        - url_category_list
+        - rule_uuid
+        - http2_connection
+        - dynusergroup_name
+        - xff_ip
+        - src_dvc_category
+        - src_dvc_profile
+        - src_dvc_model
+        - src_dvc_vendor
+        - src_dvc_os_family
+        - src_dvc_os_version
+        - src_dvc_host
+        - src_dvc_mac
+        - dest_dvc_category
+        - dest_dvc_profile
+        - dest_dvc_model
+        - dest_dvc_vendor
+        - dest_dvc_os_family
+        - dest_dvc_os_version
+        - dest_dvc_host
+        - dest_dvc_mac
+        - container_id
+        - pod_namespace
+        - pod_name
+        - src_edl
+        - dest_edl
+        - host_id
+        - dvc_serial_number
+        - domain_edl
+        - src_dag
+        - dest_dag
+        - partial_hash
+        - high_res_timestmp
+        - reason
+        - justification
+        - nssai_sst
+        - app_subcategory
+        - app_category
+        - app_technology
+        - app_risk
+        - app_characteristic
+        - app_container
+        - app_saas
+        - app_sanction
+        - app_tunneled
+        - cloud_report_id
       keep: []
       remove:
         - receive_time
@@ -163,3 +213,26 @@ functions:
         - dest_location
         - future_use*
         - sequence_number
+        - sctp_*
+        - payload_protocol_id
+        - http_headers
+        - url_category_list
+        - rule_uuid
+        - http2_connection
+        - dynusergroup_name
+        - xff_ip
+        - src_dvc_*
+        - dest_dvc_*
+        - container_id
+        - pod_*
+        - "*_edl"
+        - host_id
+        - dvc_serial_number
+        - "*_dag"
+        - partial_hash
+        - high_res_timestmp
+        - reason
+        - justification
+        - nssai_sst
+        - app_*
+        - cloud_report_id

default/pipelines/pan_traffic/conf.yml

@@ -160,9 +160,84 @@ functions:
         - tunnel_session_id
         - tunnel_start_time
         - tunnel_type
+        - sctp_assoc_id
+        - sctp_chunks
+        - sctp_chunks_sent
+        - sctp_chunks_received
+        - rule_uuid
+        - http2_connection
+        - link_change_count
+        - policy_id
+        - link_switches
+        - sdwan_cluster
+        - sdwan_device_type
+        - sdwan_cluster_type
+        - sdwan_site
+        - dynusergroup_name
+        - xff_ip
+        - src_dvc_category
+        - src_dvc_profile
+        - src_dvc_model
+        - src_dvc_vendor
+        - src_dvc_os_family
+        - src_dvc_os_version
+        - src_dvc_host
+        - src_dvc_mac
+        - dest_dvc_category
+        - dest_dvc_profile
+        - dest_dvc_model
+        - dest_dvc_vendor
+        - dest_dvc_os_family
+        - dest_dvc_os_version
+        - dest_dvc_host
+        - dest_dvc_mac
+        - container_id
+        - pod_namespace
+        - pod_name
+        - src_edl
+        - dest_edl
+        - host_id
+        - dvc_serial_number
+        - src_dag
+        - dest_dag
+        - session_owner
+        - high_res_timestamp
+        - nsdsai_sst
+        - nsdsai_sd
+        - app_subcategory
+        - app_category
+        - app_technology
+        - app_risk
+        - app_characteristic
+        - app_container
+        - app_tunneled
+        - app_saas
+        - app_sanction
+        - offloaded
       remove:
         - future_use*
         - "*_time"
+        - sctp_*
+        - rule_uuid
+        - http2_connection
+        - link_*
+        - policy_id
+        - sdwan_*
+        - dynusergroup_name
+        - xff_ip
+        - src_dvc_*
+        - dest_dvc_*
+        - container_id
+        - pod_*
+        - "*_edl"
+        - host_id
+        - dvc_serial_number
+        - "*_dag"
+        - session_owner
+        - high_res_timestamp
+        - nsdsai_*
+        - app_*
+        - offloaded
       keep: []
   - id: comment
     filter: "true"
@@ -273,6 +348,60 @@ functions:
         - tunnel_session_id
         - tunnel_start_time
         - tunnel_type
+        - sctp_assoc_id
+        - sctp_chunks
+        - sctp_chunks_sent
+        - sctp_chunks_received
+        - rule_uuid
+        - http2_connection
+        - link_change_count
+        - policy_id
+        - link_switches
+        - sdwan_cluster
+        - sdwan_device_type
+        - sdwan_cluster_type
+        - sdwan_site
+        - dynusergroup_name
+        - xff_ip
+        - src_dvc_category
+        - src_dvc_profile
+        - src_dvc_model
+        - src_dvc_vendor
+        - src_dvc_os_family
+        - src_dvc_os_version
+        - src_dvc_host
+        - src_dvc_mac
+        - dest_dvc_category
+        - dest_dvc_profile
+        - dest_dvc_model
+        - dest_dvc_vendor
+        - dest_dvc_os_family
+        - dest_dvc_os_version
+        - dest_dvc_host
+        - dest_dvc_mac
+        - container_id
+        - pod_namespace
+        - pod_name
+        - src_edl
+        - dest_edl
+        - host_id
+        - dvc_serial_number
+        - src_dag
+        - dest_dag
+        - session_owner
+        - high_res_timestamp
+        - nsdsai_sst
+        - nsdsai_sd
+        - app_subcategory
+        - app_category
+        - app_technology
+        - app_risk
+        - app_characteristic
+        - app_container
+        - app_tunneled
+        - app_saas
+        - app_sanction
+        - offloaded
       remove: []
       keep: []
       dstField: __parsed

default/pipelines/pan_userid/conf.yml

@@ -113,6 +113,12 @@ functions:
         - factor_type
         - factor_completion_time
         - factor_number
+        - future_use2
+        - future_use3
+        - ugflags
+        - userbysource
+        - high_res_timestamp
       remove:
         - future_use*
         - "*_time"
+        - high_res_timestamp

package.json

@@ -1 +1 @@
-{"name":"PAN","version":"0.6.3","author":"Brendan Dalpe - Cribl","description":"Process, reduce, and transform Palo Alto Networks Firewall logs.","displayName":"Palo Alto Networks"}
+{"name":"PAN","version":"0.7.0","author":"Brendan Dalpe - Cribl","description":"Process, reduce, and transform Palo Alto Networks Firewall logs.","displayName":"Palo Alto Networks"}