[Enhancement] [PANW] Make enhancement in connector with best practices implementation (#4670)

* Add an on_failure processor to the date processor and mapped field source.user.name & source.user.domain properly

* Update changelog entry

* Resolved merege conflict

Author: vinit-chauhan

packages/panw/_dev/deploy/docker/docker-compose.yml

@@ -7,17 +7,17 @@ services:
       - ${SERVICE_LOGS_DIR}:/var/log
     command: /bin/sh -c "cp /sample_logs/* /var/log/"
   panw-panos-tls:
-    image: docker.elastic.co/observability/stream:v0.6.2
+    image: docker.elastic.co/observability/stream:v0.8.0
     volumes:
       - ./syslog_logs:/sample_logs:ro
     command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9515 -p=tls --insecure /sample_logs/*.log
   panw-panos-tcp:
-    image: docker.elastic.co/observability/stream:v0.6.2
+    image: docker.elastic.co/observability/stream:v0.8.0
     volumes:
       - ./syslog_logs:/sample_logs:ro
     command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/*.log
   panw-panos-udp:
-    image: docker.elastic.co/observability/stream:v0.6.2
+    image: docker.elastic.co/observability/stream:v0.8.0
     volumes:
       - ./syslog_logs:/sample_logs:ro
     command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/*.log

packages/panw/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "3.3.0"
+  changes:
+    - description: Add an on_failure processor to the date processor.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4670
+    - description: Field source.user.name & source.user.domain is not mapped properly.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4670
 - version: "3.2.2"
   changes:
     - description: Support strings on `panos.certificate.size` field

packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-decryption-sample.log

@@ -1,2 +1,2 @@
 <14>Nov 30 16:09:33 PA-220 1,2021/11/11 15:42:44,007051000184334,DECRYPTION,0,2561,2021/11/11 15:42:44,81.2.69.145,81.2.69.144,81.2.69.145,81.2.69.144,intrazone-default,,,incomplete,vsys1,LAN,LAN,ethernet1/2,ethernet1/2,,2021/11/11 15:42:44,33288,1,49908,443,49908,20077,0x1400000,tcp,allow,N/A,,,,,731a6a1a-9a62-4a92-a49a-0876025a9436,Server_Hello,Client_Hello,TLS1.2,ECDHE,AES_256_GCM,SHA384,,,Certificate,trusted,Trusted,GlobalProtect,ba67e84495b59512,a6a13e87221733b712ddbd0978da1ffdd69503dfd1f0a86f73d86bf90b743b85,2021/11/11 15:21:28,2022/11/11 15:21:28,V3,2048,9,9,0,0,:::::RSA,com.example.com,com.example.com,,,Received fatal alert CertificateUnknown from client,,,,,,,,2021-11-11T15:42:44.845-08:00,,,,,,,,,,,,,,,,,7028724914890736000,0x0,0,0,0,0,,PA-VM,1,unknown,unknown,unknown,1,,,incomplete,no
-<134>1 2022-11-03T13:40:34+01:00 PA-220 1,2021/11/11 15:42:44,007051000184334,DECRYPTION,0,2561,2021/11/11 15:42:44,81.2.69.145,81.2.69.144,81.2.69.145,81.2.69.144,intrazone-default,,,incomplete,vsys1,LAN,LAN,ethernet1/2,ethernet1/2,,2021/11/11 15:42:44,33288,1,49908,443,49908,20077,0x1400000,tcp,allow,N/A,,,,,731a6a1a-9a62-4a92-a49a-0876025a9436,Server_Hello,Client_Hello,TLS1.2,ECDHE,AES_256_GCM,SHA384,,,Certificate,trusted,Trusted,GlobalProtect,ba67e84495b59512,a6a13e87221733b712ddbd0978da1ffdd69503dfd1f0a86f73d86bf90b743b85,2021/11/11 15:21:28,2022/11/11 15:21:28,V3,Unknown,9,9,0,0,:::::RSA,com.example.com,com.example.com,,,Received fatal alert CertificateUnknown from client,,,,,,,,2021-11-11T15:42:44.845-08:00,,,,,,,,,,,,,,,,,7028724914890736000,0x0,0,0,0,0,,PA-VM,1,unknown,unknown,unknown,1,,,incomplete,no
+<134>1 2022-11-03T13:40:34+01:00 PA-220 1,2021/11/11 15:42:44,007051000184334,DECRYPTION,0,2561,2021/11/11 15:42:44,81.2.69.145,81.2.69.144,81.2.69.145,81.2.69.144,intrazone-default,,,incomplete,vsys1,LAN,LAN,ethernet1/2,ethernet1/2,,2021/11/11 15:42:44,33288,1,49908,443,49908,20077,0x1400000,tcp,allow,N/A,,,,,731a6a1a-9a62-4a92-a49a-0876025a9436,Server_Hello,Client_Hello,TLS1.2,ECDHE,AES_256_GCM,SHA384,,,Certificate,trusted,Trusted,GlobalProtect,ba67e84495b59512,a6a13e87221733b712ddbd0978da1ffdd69503dfd1f0a86f73d86bf90b743b85,2021/11/11 15:21:28,2022/11/11 15:21:28,V3,Unknown,9,9,0,0,:::::RSA,com.example.com,com.example.com,,,Received fatal alert CertificateUnknown from client,,,,,,,,2021-11-11T15:42:44.845-08:00,,,,,,,,,,,,,,,,,7028724914890736000,0x0,0,0,0,0,,PA-VM,1,unknown,unknown,unknown,1,,,incomplete,no

packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-globalprotect-sample.log-expected.json

@@ -838,7 +838,7 @@
                     "10.1.1.1"
                 ],
                 "user": [
-                    "host"
+                    "user"
                 ]
             },
             "source": {
@@ -847,7 +847,8 @@
                     "ip": "10.1.1.1"
                 },
                 "user": {
-                    "name": "host"
+                    "domain": "host",
+                    "name": "user"
                 }
             },
             "tags": [

packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log

@@ -196,4 +196,4 @@ Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/
 1,2021/10/26 14:32:02,,TRAFFIC,end,2561,2021/10/26 14:32:02,81.2.69.144,81.2.69.145,,,intrazone-default,,,syslog,vsys1,LAN,LAN,ethernet1/2,ethernet1/2,LFPpan,2021/10/26 14:32:02,15843,1,37151,30514,0,0,0x10005e,udp,allow,1231,641,590,2,2021/10/26 14:31:26,0,any,,7022390495259151734,0x0,United States,United States,,1,1,aged-out,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:32:02.775-07:00
 1,2021/10/26 14:31:37,,TRAFFIC,end,2561,2021/10/26 14:31:37,81.2.69.144,81.2.69.145,,,intrazone-default,,,syslog,vsys1,LAN,LAN,ethernet1/2,ethernet1/2,LFPpan,2021/10/26 14:31:37,15840,1,43096,30514,0,0,0x10005e,udp,allow,2544,1364,1180,4,2021/10/26 14:31:01,0,any,,7022390495259151733,0x0,United States,United States,,2,2,aged-out,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:37.773-07:00
 1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,192.168.10.111,81.2.69.193,LAn-TO-WAn,,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15845,1,64898,53,60860,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151732,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.773-07:00
-1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,192.168.10.111,81.2.69.193,LAn-TO-WAn,,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15844,1,64624,53,32849,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151731,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00
+1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,192.168.10.111,81.2.69.193,LAn-TO-WAn,,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15844,1,64624,53,32849,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151731,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00

packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/authentication.yml

@@ -49,13 +49,13 @@ processors:
   - append:
       field: source.user.name
       value: '{{{_temp_.user}}}'
-      if: ctx._temp_?.user != null && ctx._temp_?.user != ''
+      if: ctx._temp_?.user != null && ctx._temp_.user != ''
       allow_duplicates: false
       ignore_failure: true
   - append:
       field: source.user.name
       value: '{{{panw.panos.normalize_user}}}'
-      if: ctx.panw?.panos?.normalize_user != null && ctx.panw?.panos?.normalize_user != ''
+      if: ctx.panw?.panos?.normalize_user != null && ctx.panw.panos.normalize_user != ''
       allow_duplicates: false
       ignore_failure: true
 
@@ -94,7 +94,6 @@ processors:
       field: panw.panos.user_agent
       copy_from: _temp_.user_agent
       ignore_failure: true
-  
 on_failure:
   - append:
       field: error.message

packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/correlated_event.yml

@@ -53,7 +53,7 @@ processors:
       field: panw.panos.source.user
       copy_from: _temp_.srcuser
       ignore_failure: true
-  
+
 on_failure:
   - append:
       field: error.message

packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/decryption.yml

@@ -116,35 +116,55 @@ processors:
       field: panw.panos.certificate.not_after
       target_field: panw.panos.certificate.not_after
       formats:
-        - "yyyy/MM/dd HH:mm:ss"
-        - "strict_date_optional_time_nanos"
-      ignore_failure: true
+        - 'yyyy/MM/dd HH:mm:ss'
+        - 'strict_date_optional_time_nanos'
+      on_failure:
+        - remove:
+            field: panw.panos.certificate.not_after
+        - append:
+            field: error.message
+            value: '{{{_ingest.on_failure_message}}}'
   - date:
       if: ctx.event?.timezone != null
       field: panw.panos.certificate.not_after
       target_field: panw.panos.certificate.not_after
       formats:
-        - "yyyy/MM/dd HH:mm:ss"
-        - "strict_date_optional_time_nanos"
+        - 'yyyy/MM/dd HH:mm:ss'
+        - 'strict_date_optional_time_nanos'
       timezone: '{{{ event.timezone }}}'
-      ignore_failure: true
+      on_failure:
+        - remove:
+            field: panw.panos.certificate.not_after
+        - append:
+            field: error.message
+            value: '{{{_ingest.on_failure_message}}}'
   - date:
       if: ctx.event?.timezone == null
       field: panw.panos.certificate.not_before
       target_field: panw.panos.certificate.not_before
       formats:
-        - "yyyy/MM/dd HH:mm:ss"
-        - "strict_date_optional_time_nanos"
-      ignore_failure: true
+        - 'yyyy/MM/dd HH:mm:ss'
+        - 'strict_date_optional_time_nanos'
+      on_failure:
+        - remove:
+            field: panw.panos.certificate.not_before
+        - append:
+            field: error.message
+            value: '{{{_ingest.on_failure_message}}}'
   - date:
       if: ctx.event?.timezone != null
       field: panw.panos.certificate.not_before
       target_field: panw.panos.certificate.not_before
       formats:
-        - "yyyy/MM/dd HH:mm:ss"
-        - "strict_date_optional_time_nanos"
+        - 'yyyy/MM/dd HH:mm:ss'
+        - 'strict_date_optional_time_nanos'
       timezone: '{{{ event.timezone }}}'
-      ignore_failure: true
+      on_failure:
+        - remove:
+            field: panw.panos.certificate.not_before
+        - append:
+            field: error.message
+            value: '{{{_ingest.on_failure_message}}}'
 
 # Set event.kind & event.category field.
   - set: