diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 8a4152bf57a..ce7034d05c8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -25,6 +25,13 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910] - Improve ECS categorization field mappings for nginx module. http.request.referrer is now lowercase & http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844] - Improve ECS field mappings in santa module. move hash.sha256 to process.hash.sha256 & move certificate fields to santa.certificate . {issue}16180[16180] {pull}17982[17982] +- With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta) +will no longer send the `host` field that contains information about the host Filebeat is +running on. This is because the `host` field specifies the host on which the event +happened. {issue}13920[13920] {pull}18223[18223] +- With the default configuration the cef and panw modules will no longer send the `host` +field. You can revert this change by configuring tags for the module and omitting +`forwarded` from the list. {issue}13920[13920] {pull}18223[18223] *Heartbeat* @@ -325,6 +332,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065] - Change the `json.*` input settings implementation to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] - Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881] +- Added `observer.vendor`, `observer.product`, and `observer.type` to PANW module events. {pull}18223[18223] - The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095] *Heartbeat* diff --git a/filebeat/_meta/config/processors.yml.tmpl b/filebeat/_meta/config/processors.yml.tmpl new file mode 100644 index 00000000000..26da2cbe74f --- /dev/null +++ b/filebeat/_meta/config/processors.yml.tmpl @@ -0,0 +1,7 @@ +{{header "Processors"}} +processors: + - add_host_metadata: + when.not.contains.tags: forwarded + - add_cloud_metadata: ~ + - add_docker_metadata: ~ + - add_kubernetes_metadata: ~ diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 38ac4e4cd5b..cb5af4a9230 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -40,6 +40,12 @@ The UDP port to listen for syslog traffic. Defaults to `9003` NOTE: Ports below 1024 require Filebeat to run as root. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cef, forwarded]`. + [float] ==== Forcepoint NGFW Security Management Center diff --git a/filebeat/filebeat.yml b/filebeat/filebeat.yml index 51a0d40224e..9dbcc8f6c64 100644 --- a/filebeat/filebeat.yml +++ b/filebeat/filebeat.yml @@ -172,16 +172,13 @@ output.elasticsearch: #ssl.key: "/etc/pki/client/cert.key" # ================================= Processors ================================= - -# Configure processors to enhance or manipulate events generated by the beat. - processors: - - add_host_metadata: ~ + - add_host_metadata: + when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ - # ================================== Logging =================================== # Sets log level. The default log level is info. diff --git a/filebeat/fileset/fileset.go b/filebeat/fileset/fileset.go index e1f6da6c1da..8c296046463 100644 --- a/filebeat/fileset/fileset.go +++ b/filebeat/fileset/fileset.go @@ -27,6 +27,7 @@ import ( "io/ioutil" "os" "path/filepath" + "reflect" "runtime" "strings" "text/template" @@ -290,6 +291,18 @@ func getTemplateFunctions(vars map[string]interface{}) (template.FuncMap, error) } return template.FuncMap{ + "inList": func(collection []interface{}, item string) bool { + for _, h := range collection { + if reflect.DeepEqual(item, h) { + return true + } + } + return false + }, + "tojson": func(v interface{}) (string, error) { + bytes, err := json.Marshal(v) + return string(bytes), err + }, "IngestPipeline": func(shortID string) string { return formatPipelineID( builtinVars["prefix"].(string), diff --git a/filebeat/fileset/fileset_test.go b/filebeat/fileset/fileset_test.go index e7865074d8d..4a8087af2b4 100644 --- a/filebeat/fileset/fileset_test.go +++ b/filebeat/fileset/fileset_test.go @@ -288,6 +288,7 @@ func TestGetTemplateFunctions(t *testing.T) { templateFunctions, err := getTemplateFunctions(vars) assert.NoError(t, err) assert.IsType(t, template.FuncMap{}, templateFunctions) - assert.Len(t, templateFunctions, 1) + assert.Contains(t, templateFunctions, "inList") + assert.Contains(t, templateFunctions, "tojson") assert.Contains(t, templateFunctions, "IngestPipeline") } diff --git a/x-pack/filebeat/filebeat.yml b/x-pack/filebeat/filebeat.yml index 51a0d40224e..9dbcc8f6c64 100644 --- a/x-pack/filebeat/filebeat.yml +++ b/x-pack/filebeat/filebeat.yml @@ -172,16 +172,13 @@ output.elasticsearch: #ssl.key: "/etc/pki/client/cert.key" # ================================= Processors ================================= - -# Configure processors to enhance or manipulate events generated by the beat. - processors: - - add_host_metadata: ~ + - add_host_metadata: + when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ - # ================================== Logging =================================== # Sets log level. The default log level is info. diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml index 009b03388f7..5a56f210c79 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml @@ -4,6 +4,9 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml index 4ab358804c9..2a6f38d1fad 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml @@ -38,6 +38,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml index 16d188c1c0d..2878c79936d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json index 9b36d634481..316ddd56146 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -27,6 +27,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index 78ad7dc6984..39eb927bc8a 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -34,6 +34,9 @@ "source.geo.region_iso_code": "CN-CQ", "source.geo.region_name": "Chongqing", "source.ip": "123.145.67.89", + "tags": [ + "forwarded" + ], "user.id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", "user_agent.device.name": "Spider", "user_agent.name": "aws-cli", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json index 02532f93aa8..e6903e9d78d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json @@ -26,6 +26,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -58,6 +61,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json index 6735d4bbe9a..670a6dfd8b5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -27,6 +27,9 @@ "service.type": "aws", "source.address": "192.0.2.110", "source.ip": "192.0.2.110", + "tags": [ + "forwarded" + ], "user.id": "AIDACKCEVSQ6C2EXAMPLE", "user.name": "JohnDoe", "user_agent.device.name": "Other", @@ -66,6 +69,9 @@ "service.type": "aws", "source.address": "192.0.2.100", "source.ip": "192.0.2.100", + "tags": [ + "forwarded" + ], "user.id": "AIDACKCEVSQ6C2EXAMPLE", "user.name": "JaneDoe", "user_agent.device.name": "Other", @@ -111,6 +117,9 @@ "service.type": "aws", "source.address": "192.0.2.100", "source.ip": "192.0.2.100", + "tags": [ + "forwarded" + ], "user.id": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", "user.name": "RoleToBeAssumed", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json index 43fa88f05f0..892de5848b6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -32,6 +32,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json index 1e07ca70e81..1edd9a07ab1 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -29,6 +29,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Other", @@ -63,6 +66,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 1c66362a9fc..8330d7b5135 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -32,6 +32,9 @@ "source.geo.region_iso_code": "US-VA", "source.geo.region_name": "Virginia", "source.ip": "72.21.198.64", + "tags": [ + "forwarded" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json index 7c9bc46ca8d..fda411e58d4 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json @@ -30,6 +30,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json index 2a0bd3b19cd..4d73d319fdb 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -26,6 +26,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json index e46d89a5c6d..4f055c52f3f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json index 34ac136cd52..d15582a8d76 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json index 698cae731a1..abcfae25b82 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json index 31274005d66..c7ed41a19c5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json @@ -27,6 +27,9 @@ "service.type": "aws", "source.address": "192.0.2.1", "source.ip": "192.0.2.1", + "tags": [ + "forwarded" + ], "user.id": "AIDAQRSTUVWXYZEXAMPLE:devdsk", "user_agent.device.name": "Spider", "user_agent.name": "aws-cli", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json index 6e058b71108..9ad99a507a6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Other", @@ -62,6 +65,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_PRINCIPLE", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json index b39ab00d2e2..e6dd520a96d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json index b55a58cfc54..48e2714075c 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json @@ -26,6 +26,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json index 8d3c1a55edc..b05c343b039 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json index 81eae87f97c..dec4fb376e5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json index 0692ebb0222..670a8bf85da 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -30,6 +30,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json index 36772d56aaf..7bac448522f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json index d71f69eb606..2fe5ca36f20 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json @@ -29,6 +29,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json index a313846b14c..392b10b690b 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json @@ -29,6 +29,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json index b67deb55c2e..c892d1968ff 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json index c643a0df09f..6d01d7de36f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json index 4f51063cadf..94c01261460 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -25,6 +25,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -60,6 +63,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json index 44d123d3591..381986a0e25 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json index fa9671014a7..69f928b7abc 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", @@ -69,6 +72,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index fec80eef8de..bb67237971e 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -34,6 +34,9 @@ "source.geo.region_iso_code": "US-OR", "source.geo.region_name": "Oregon", "source.ip": "205.251.233.182", + "tags": [ + "forwarded" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -73,6 +76,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json index ace5d1290d2..2c97ff455df 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -29,6 +29,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json index bbed1e444f6..a111370b004 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json @@ -32,6 +32,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "forwarded" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml index 009b03388f7..5a56f210c79 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml @@ -4,6 +4,9 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml index 75d02f1cbbb..073eca58ab2 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml @@ -37,6 +37,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml index 16d188c1c0d..2878c79936d 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json index bdc8b0c3a72..42cf5fb35dc 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json @@ -8,7 +8,10 @@ "input.type": "log", "log.offset": 0, "message": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root.", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:18.000Z", @@ -19,7 +22,10 @@ "input.type": "log", "log.offset": 96, "message": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms.", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -30,7 +36,10 @@ "input.type": "log", "log.offset": 211, "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -41,7 +50,10 @@ "input.type": "log", "log.offset": 345, "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -52,7 +64,10 @@ "input.type": "log", "log.offset": 461, "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds.", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -63,6 +78,9 @@ "input.type": "log", "log.offset": 586, "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/ec2/config/file.yml b/x-pack/filebeat/module/aws/ec2/config/file.yml index 009b03388f7..5a56f210c79 100644 --- a/x-pack/filebeat/module/aws/ec2/config/file.yml +++ b/x-pack/filebeat/module/aws/ec2/config/file.yml @@ -4,6 +4,9 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/ec2/config/s3.yml b/x-pack/filebeat/module/aws/ec2/config/s3.yml index 75d02f1cbbb..073eca58ab2 100644 --- a/x-pack/filebeat/module/aws/ec2/config/s3.yml +++ b/x-pack/filebeat/module/aws/ec2/config/s3.yml @@ -37,6 +37,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/ec2/manifest.yml b/x-pack/filebeat/module/aws/ec2/manifest.yml index 16d188c1c0d..2878c79936d 100644 --- a/x-pack/filebeat/module/aws/ec2/manifest.yml +++ b/x-pack/filebeat/module/aws/ec2/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json b/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json index c2635e6a802..b00d6950ee4 100644 --- a/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json +++ b/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json @@ -9,7 +9,10 @@ "log.offset": 0, "message": "Stopping User Slice of root.", "process.name": "systemd", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:18.000Z", @@ -22,7 +25,10 @@ "message": "XMT: Solicit on eth0, interval 125240ms.", "process.name": "dhclient", "process.pid": "3000", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -35,7 +41,10 @@ "message": "DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)", "process.name": "dhclient", "process.pid": "2898", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -48,7 +57,10 @@ "message": "DHCPACK from 172.31.80.1 (xid=0x4575af22)", "process.name": "dhclient", "process.pid": "2898", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -61,7 +73,10 @@ "message": "bound to 172.31.81.156 -- renewal in 1599 seconds.", "process.name": "dhclient", "process.pid": "2898", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -73,6 +88,9 @@ "log.offset": 586, "message": "[get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s", "process.name": "ec2net", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/config/file.yml b/x-pack/filebeat/module/aws/elb/config/file.yml index 9628dd63bad..498a7906457 100644 --- a/x-pack/filebeat/module/aws/elb/config/file.yml +++ b/x-pack/filebeat/module/aws/elb/config/file.yml @@ -4,6 +4,9 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/elb/config/s3.yml b/x-pack/filebeat/module/aws/elb/config/s3.yml index 75d02f1cbbb..073eca58ab2 100644 --- a/x-pack/filebeat/module/aws/elb/config/s3.yml +++ b/x-pack/filebeat/module/aws/elb/config/s3.yml @@ -37,6 +37,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/elb/manifest.yml b/x-pack/filebeat/module/aws/elb/manifest.yml index 418becaf828..f823ccbacce 100644 --- a/x-pack/filebeat/module/aws/elb/manifest.yml +++ b/x-pack/filebeat/module/aws/elb/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json index 093cc1fc2e7..eddf8ae9c5a 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json @@ -41,6 +41,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56398", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da09932-2c342a443bfb96249aa50ed7", "user_agent.original": "curl/7.58.0" }, @@ -86,6 +89,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56488", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da09954-2c342a443bfb96249aa50ed7", "user_agent.original": "curl/7.58.0" }, @@ -131,6 +137,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56416", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da09938-d9c72660e247c36070017828", "user_agent.original": "curl/7.58.0" }, @@ -176,6 +185,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56448", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da09945-0eaa8050df7d96f84806ded0", "user_agent.original": "curl/7.58.0" }, @@ -221,6 +233,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56602", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da0997a-5add00b04bc8ae20ae96d9f0", "user_agent.original": "curl/7.58.0" }, @@ -266,6 +281,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56638", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da09987-cc391940b332434860dfa848", "user_agent.original": "curl/7.58.0" }, @@ -311,6 +329,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "37632", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da099cb-3d3b17eb2b75373f4c0c36c5", "user_agent.original": "curl/7.58.0" }, @@ -360,6 +381,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "37838", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da0a5dd-4d9a423a0e9a782fe2f390af", "user_agent.original": "curl/7.58.0" }, @@ -409,6 +433,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "37850", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da0a5df-7d64cabe9955b4df9acc800a", "user_agent.original": "curl/7.58.0" }, @@ -458,6 +485,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "37856", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4", "user_agent.original": "curl/7.58.0" } diff --git a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json index f8b0d751e75..a0d7a291196 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json @@ -37,6 +37,9 @@ "source.geo.region_name": "Moscow", "source.ip": "78.24.182.42", "source.port": "54106", + "tags": [ + "forwarded" + ], "user_agent.original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" }, { @@ -77,6 +80,9 @@ "source.geo.region_name": "Moscow Oblast", "source.ip": "31.135.65.4", "source.port": "54001", + "tags": [ + "forwarded" + ], "user_agent.original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" }, { @@ -117,6 +123,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "52406", + "tags": [ + "forwarded" + ], "user_agent.original": "curl/7.58.0" }, { @@ -157,6 +166,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "52410", + "tags": [ + "forwarded" + ], "user_agent.original": "curl/7.58.0" }, { @@ -197,6 +209,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "52414", + "tags": [ + "forwarded" + ], "user_agent.original": "curl/7.58.0" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json index c587af8defb..8b394e2b07e 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json @@ -30,7 +30,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "51600" + "source.port": "51600", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-10-17T13:23:07.523Z", @@ -63,7 +66,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "51726" + "source.port": "51726", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-10-17T13:23:08.477Z", @@ -96,7 +102,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "51734" + "source.port": "51734", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-10-17T13:23:09.174Z", @@ -129,7 +138,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "51738" + "source.port": "51738", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-10-17T13:26:14.308Z", @@ -162,7 +174,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "46288" + "source.port": "46288", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-10-17T13:26:19.318Z", @@ -195,6 +210,9 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "46304" + "source.port": "46304", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json index 1a46cee8d85..3310b9d35c5 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json @@ -36,6 +36,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-58337262-36d228ad5d99923122bbe354", "user_agent.original": "curl/7.46.0" }, @@ -81,6 +84,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -127,6 +133,9 @@ "service.type": "aws", "source.ip": "10.0.1.252", "source.port": "48160", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -170,6 +179,9 @@ "service.type": "aws", "source.ip": "10.0.0.140", "source.port": "40914", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "-" }, @@ -204,6 +216,9 @@ "service.type": "aws", "source.ip": "10.0.0.140", "source.port": "44244", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -244,6 +259,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "curl/7.46.0" }, @@ -282,6 +300,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "curl/7.46.0" }, @@ -311,6 +332,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "tracing.trace.id": "-", "user_agent.original": "-" }, @@ -339,6 +363,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "tracing.trace.id": "-", "user_agent.original": "-" } diff --git a/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json index 72f9a57f6e3..21ede75caab 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "user_agent.original": "curl/7.38.0" }, { @@ -53,6 +56,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "user_agent.original": "curl/7.38.0" }, { @@ -77,6 +83,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "user_agent.original": "-" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json index ef09a37d579..8efd9e000bb 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json @@ -30,6 +30,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "tls.cipher": "DHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json index 74c1c0e8cc7..e9564154424 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json @@ -36,6 +36,9 @@ "source.geo.region_name": "Virginia", "source.ip": "72.21.218.154", "source.port": "51341", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls" diff --git a/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json index 84f2748861c..acdbaa6f9b6 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json @@ -24,6 +24,9 @@ "source.bytes": 57, "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", "tls.version": "1.2", "tls.version_protocol": "tls" diff --git a/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json index af89134a830..20e2c101ed7 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json @@ -21,7 +21,10 @@ "service.type": "aws", "source.bytes": 82, "source.ip": "192.168.131.39", - "source.port": "2817" + "source.port": "2817", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2015-05-13T23:39:43.945Z", @@ -40,6 +43,9 @@ "service.type": "aws", "source.bytes": 82, "source.ip": "192.168.131.39", - "source.port": "2817" + "source.port": "2817", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/s3access/config/file.yml b/x-pack/filebeat/module/aws/s3access/config/file.yml index 52fc73f363d..498a7906457 100644 --- a/x-pack/filebeat/module/aws/s3access/config/file.yml +++ b/x-pack/filebeat/module/aws/s3access/config/file.yml @@ -4,6 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/s3access/config/s3.yml b/x-pack/filebeat/module/aws/s3access/config/s3.yml index 75d02f1cbbb..073eca58ab2 100644 --- a/x-pack/filebeat/module/aws/s3access/config/s3.yml +++ b/x-pack/filebeat/module/aws/s3access/config/s3.yml @@ -37,6 +37,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/s3access/manifest.yml b/x-pack/filebeat/module/aws/s3access/manifest.yml index 16d188c1c0d..2878c79936d 100644 --- a/x-pack/filebeat/module/aws/s3access/manifest.yml +++ b/x-pack/filebeat/module/aws/s3access/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index b312118a644..273b1512556 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -47,6 +47,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -106,6 +109,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -166,6 +172,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -225,6 +234,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -281,6 +293,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls" @@ -330,6 +345,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls" diff --git a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json index 61baec94c6c..fb6c38fb108 100644 --- a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json @@ -40,6 +40,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", @@ -88,6 +91,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", @@ -138,6 +144,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", @@ -186,6 +195,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", @@ -236,6 +248,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "forwarded" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.1", "tls.version_protocol": "tls", diff --git a/x-pack/filebeat/module/aws/vpcflow/config/input.yml b/x-pack/filebeat/module/aws/vpcflow/config/input.yml index 82d4d2dec23..c9e88b6a743 100644 --- a/x-pack/filebeat/module/aws/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/aws/vpcflow/config/input.yml @@ -49,6 +49,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - drop_event: diff --git a/x-pack/filebeat/module/aws/vpcflow/manifest.yml b/x-pack/filebeat/module/aws/vpcflow/manifest.yml index 2bcc4d6cbe5..c7df14a4050 100644 --- a/x-pack/filebeat/module/aws/vpcflow/manifest.yml +++ b/x-pack/filebeat/module/aws/vpcflow/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json index f31e0bf9931..170b8851ec9 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json @@ -53,7 +53,10 @@ "source.geo.region_name": "Moscow", "source.ip": "78.24.182.42", "source.packets": 20, - "source.port": 20641 + "source.port": 20641, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2014-12-14T04:07:50.000Z", @@ -109,7 +112,10 @@ "source.geo.region_name": "Moscow", "source.ip": "78.24.182.42", "source.packets": 20, - "source.port": 49761 + "source.port": 49761, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2015-05-29T16:32:22.000Z", @@ -149,7 +155,10 @@ "source.bytes": 336, "source.ip": "203.0.113.12", "source.packets": 4, - "source.port": 0 + "source.port": 0, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2015-05-29T16:32:22.000Z", @@ -189,6 +198,9 @@ "source.bytes": 336, "source.ip": "172.31.16.139", "source.packets": 4, - "source.port": 0 + "source.port": 0, + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json index a1e34b59b5c..d508bd63479 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json @@ -23,7 +23,10 @@ ], "service.type": "aws", "source.address": "10.0.1.5", - "source.ip": "10.0.1.5" + "source.ip": "10.0.1.5", + "tags": [ + "forwarded" + ] }, { "aws.vpcflow.instance_id": "i-01234567890123456", @@ -50,6 +53,9 @@ ], "service.type": "aws", "source.address": "10.0.1.5", - "source.ip": "10.0.1.5" + "source.ip": "10.0.1.5", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json index d288b8b06db..0a8feef3be5 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json @@ -39,6 +39,9 @@ "service.type": "aws", "source.address": "10.20.33.164", "source.ip": "10.20.33.164", - "source.port": 39812 + "source.port": 39812, + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json index 12899b7b728..ac0ead951e9 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json @@ -38,6 +38,9 @@ "source.bytes": 8855, "source.ip": "2001:db8:1234:a100:8d6e:3477:df66:f105", "source.packets": 54, - "source.port": 34892 + "source.port": 34892, + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json index 456b3efca62..22705d87101 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json @@ -19,7 +19,10 @@ "fileset.name": "vpcflow", "input.type": "log", "log.offset": 0, - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] }, { "@timestamp": "2015-05-10T18:02:14.000Z", @@ -41,6 +44,9 @@ "fileset.name": "vpcflow", "input.type": "log", "log.offset": 82, - "service.type": "aws" + "service.type": "aws", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json index cb24fd34183..6b7b788ac97 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json @@ -55,6 +55,9 @@ "source.geo.region_name": "Leinster", "source.ip": "52.213.180.42", "source.packets": 8, - "source.port": 43416 + "source.port": 43416, + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index 9b747e1092d..9f24f85e3eb 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -5,3 +5,6 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + diff --git a/x-pack/filebeat/module/azure/activitylogs/config/file.yml b/x-pack/filebeat/module/azure/activitylogs/config/file.yml index 8e366e70c17..456cc5dce7c 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/file.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/file.yml @@ -4,3 +4,5 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/activitylogs/manifest.yml b/x-pack/filebeat/module/azure/activitylogs/manifest.yml index 4d5c20a7271..c83f17ce1a0 100644 --- a/x-pack/filebeat/module/azure/activitylogs/manifest.yml +++ b/x-pack/filebeat/module/azure/activitylogs/manifest.yml @@ -11,6 +11,8 @@ var: - name: storage_account - name: storage_account_key - name: resource_manager_endpoint + - name: tags + default: [forwarded] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json index 51e34f7fd43..258a04d0aab 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json @@ -48,6 +48,9 @@ "log.level": "Information", "log.offset": 0, "service.type": "azure", - "source.ip": "51.251.141.41" + "source.ip": "51.251.141.41", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index 3c2ea50cf8b..f8b88d18a4a 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -5,4 +5,5 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} - +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/auditlogs/config/file.yml b/x-pack/filebeat/module/azure/auditlogs/config/file.yml index 8e366e70c17..456cc5dce7c 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/file.yml @@ -4,3 +4,5 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/auditlogs/manifest.yml b/x-pack/filebeat/module/azure/auditlogs/manifest.yml index 095371bff16..85029fc97a9 100644 --- a/x-pack/filebeat/module/azure/auditlogs/manifest.yml +++ b/x-pack/filebeat/module/azure/auditlogs/manifest.yml @@ -11,6 +11,8 @@ var: - name: storage_account - name: storage_account_key - name: resource_manager_endpoint + - name: tags + default: [forwarded] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json index b1d6a668be6..9e3a37a4352 100644 --- a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json @@ -37,6 +37,9 @@ "input.type": "log", "log.level": "Informational", "log.offset": 0, - "service.type": "azure" + "service.type": "azure", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index 9b747e1092d..f8b88d18a4a 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -5,3 +5,5 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/signinlogs/config/file.yml b/x-pack/filebeat/module/azure/signinlogs/config/file.yml index 8e366e70c17..456cc5dce7c 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/file.yml @@ -4,3 +4,5 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/signinlogs/manifest.yml b/x-pack/filebeat/module/azure/signinlogs/manifest.yml index 97fddae51e9..c08e0eaeb87 100644 --- a/x-pack/filebeat/module/azure/signinlogs/manifest.yml +++ b/x-pack/filebeat/module/azure/signinlogs/manifest.yml @@ -11,6 +11,8 @@ var: - name: storage_account - name: storage_account_key - name: resource_manager_endpoint + - name: tags + default: [forwarded] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index 6c9aea80c36..8bc3778fe07 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -52,6 +52,9 @@ "log.offset": 0, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", "service.type": "azure", - "source.ip": "81.171.241.231" + "source.ip": "81.171.241.231", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index 00d2ab1e791..365a07b933a 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -35,6 +35,12 @@ The UDP port to listen for syslog traffic. Defaults to `9003` NOTE: Ports below 1024 require Filebeat to run as root. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cef, forwarded]`. + [float] ==== Forcepoint NGFW Security Management Center diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index cf5bde45c89..49a2b1829be 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -15,7 +15,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - rename: diff --git a/x-pack/filebeat/module/cef/log/manifest.yml b/x-pack/filebeat/module/cef/log/manifest.yml index 60115d99b40..777ac5010be 100644 --- a/x-pack/filebeat/module/cef/log/manifest.yml +++ b/x-pack/filebeat/module/cef/log/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/cef.log - name: tags - default: [cef] + default: [cef, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json index 99b9348a741..ca0127defbd 100644 --- a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json @@ -51,7 +51,8 @@ "source.port": 33876, "source.service.name": "httpd", "tags": [ - "cef" + "cef", + "forwarded" ], "url.original": "https://www.example.com/cart" }, @@ -119,7 +120,8 @@ "source.port": 33876, "source.user.name": "bob", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -148,7 +150,8 @@ "service.type": "cef", "source.user.group.name": "user", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -182,7 +185,8 @@ "service.type": "cef", "source.ip": "192.168.3.4", "tags": [ - "cef" + "cef", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index 1dce9c9aae7..8d027229032 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -90,7 +90,8 @@ "source.nat.port": 35398, "source.port": 49363, "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -139,7 +140,8 @@ "service.type": "cef", "source.port": 4001, "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -191,7 +193,8 @@ "service.type": "cef", "source.ip": "fd00::555", "tags": [ - "cef" + "cef", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json index be322967983..70ef4f7776f 100644 --- a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json @@ -29,7 +29,8 @@ "observer.version": "6.6.1", "service.type": "cef", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -62,7 +63,8 @@ "observer.version": "6.6.1", "service.type": "cef", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -114,7 +116,8 @@ "service.type": "cef", "source.ip": "10.37.205.252", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -167,7 +170,8 @@ "source.ip": "172.16.1.1", "source.port": 68, "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -218,7 +222,8 @@ "service.type": "cef", "source.ip": "172.16.1.1", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -266,7 +271,8 @@ "source.bytes": 32526, "source.user.name": "alice", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -308,7 +314,8 @@ "source.ip": "192.168.1.1", "source.user.name": "bob", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -350,7 +357,8 @@ "source.ip": "192.168.1.1", "source.user.name": "bob", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -392,7 +400,8 @@ "source.ip": "172.16.2.1", "source.user.name": "alice", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -425,7 +434,8 @@ "observer.version": "6.6.1", "service.type": "cef", "tags": [ - "cef" + "cef", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/audit/config/input.yml b/x-pack/filebeat/module/googlecloud/audit/config/input.yml index 04c746177f8..4c30e23b5e3 100644 --- a/x-pack/filebeat/module/googlecloud/audit/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/audit/config/input.yml @@ -21,6 +21,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/audit/manifest.yml b/x-pack/filebeat/module/googlecloud/audit/manifest.yml index 347d8eaa1cb..cacba81ad71 100644 --- a/x-pack/filebeat/module/googlecloud/audit/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/audit/manifest.yml @@ -13,6 +13,9 @@ var: - name: credentials_json - name: keep_original_message default: false + - name: tags + default: [forwarded] + ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 61db8fc207d..18754e2db95 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -31,6 +31,9 @@ "service.name": "cloudbilling.googleapis.com", "service.type": "googlecloud", "source.ip": "192.168.1.1", + "tags": [ + "forwarded" + ], "user.email": "xxx@xxx.xxx" }, { @@ -72,6 +75,9 @@ "service.name": "compute.googleapis.com", "service.type": "googlecloud", "source.ip": "192.168.1.1", + "tags": [ + "forwarded" + ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -126,6 +132,9 @@ "service.name": "compute.googleapis.com", "service.type": "googlecloud", "source.ip": "192.168.1.1", + "tags": [ + "forwarded" + ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -175,6 +184,9 @@ "service.name": "compute.googleapis.com", "service.type": "googlecloud", "source.ip": "192.168.1.1", + "tags": [ + "forwarded" + ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", "user_agent.name": "Firefox", diff --git a/x-pack/filebeat/module/googlecloud/firewall/config/input.yml b/x-pack/filebeat/module/googlecloud/firewall/config/input.yml index 779e7a0bff1..d6579aa9f47 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/config/input.yml @@ -21,6 +21,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/firewall/manifest.yml b/x-pack/filebeat/module/googlecloud/firewall/manifest.yml index 53e4c5dc69d..6563173197f 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/manifest.yml @@ -15,6 +15,9 @@ var: default: false - name: keep_original_message default: false + - name: tags + default: [forwarded] + ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json index c109a99ac29..fb34db02422 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json @@ -61,7 +61,10 @@ "source.address": "10.142.0.10", "source.domain": "test-es", "source.ip": "10.142.0.10", - "source.port": 57794 + "source.port": 57794, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-06T16:41:38.394Z", @@ -125,6 +128,9 @@ "source.address": "10.142.0.16", "source.domain": "local-adrian-test", "source.ip": "10.142.0.16", - "source.port": 80 + "source.port": 80, + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json index 161bf3dbfdb..c8b16376e8f 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json @@ -59,7 +59,10 @@ "source.address": "10.128.0.16", "source.domain": "adrian-test", "source.ip": "10.128.0.16", - "source.port": 60094 + "source.port": 60094, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-10-30T13:52:42.191Z", @@ -120,7 +123,10 @@ "source.geo.continent_name": "Asia", "source.geo.country_name": "omn", "source.ip": "192.0.2.126", - "source.port": 64853 + "source.port": 64853, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:31:19.421Z", @@ -184,7 +190,10 @@ "source.geo.country_name": "rus", "source.geo.region_name": "Krasnodar Krai", "source.ip": "192.0.2.219", - "source.port": 2897 + "source.port": 2897, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:41:31.079Z", @@ -246,7 +255,10 @@ "source.geo.continent_name": "Europe", "source.geo.country_name": "deu", "source.ip": "192.0.2.14", - "source.port": 61000 + "source.port": 61000, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:41:34.190Z", @@ -308,7 +320,10 @@ "source.geo.continent_name": "Europe", "source.geo.country_name": "deu", "source.ip": "192.0.2.14", - "source.port": 61000 + "source.port": 61000, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:48:41.449Z", @@ -372,7 +387,10 @@ "source.geo.country_name": "ukr", "source.geo.region_name": "Zhytomyr Oblast", "source.ip": "192.0.2.151", - "source.port": 62551 + "source.port": 62551, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T13:10:24.214Z", @@ -436,7 +454,10 @@ "source.geo.country_name": "ita", "source.geo.region_name": "Veneto", "source.ip": "192.0.2.241", - "source.port": 44542 + "source.port": 44542, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T13:35:23.504Z", @@ -500,7 +521,10 @@ "source.geo.country_name": "rus", "source.geo.region_name": "Tula Oblast", "source.ip": "192.0.2.114", - "source.port": 41293 + "source.port": 41293, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T13:36:52.135Z", @@ -564,7 +588,10 @@ "source.geo.country_name": "rus", "source.geo.region_name": "Stavropol Krai", "source.ip": "192.0.2.251", - "source.port": 59106 + "source.port": 59106, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T14:06:16.593Z", @@ -628,7 +655,10 @@ "source.geo.country_name": "fra", "source.geo.region_name": "Provence-Alpes-C\u00f4te d'Azur", "source.ip": "192.0.2.189", - "source.port": 61000 + "source.port": 61000, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T14:06:22.930Z", @@ -692,7 +722,10 @@ "source.geo.country_name": "fra", "source.geo.region_name": "Provence-Alpes-C\u00f4te d'Azur", "source.ip": "192.0.2.189", - "source.port": 61000 + "source.port": 61000, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T14:32:07.407Z", @@ -756,7 +789,10 @@ "source.geo.country_name": "tur", "source.geo.region_name": "\u0130zmir", "source.ip": "192.0.2.200", - "source.port": 42716 + "source.port": 42716, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-12T12:41:20.972Z", @@ -818,7 +854,10 @@ "source.address": "10.28.0.16", "source.domain": "adrian-test", "source.ip": "10.28.0.16", - "source.port": 46418 + "source.port": 46418, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-12T12:42:26.505Z", @@ -880,7 +919,10 @@ "source.address": "10.28.0.16", "source.domain": "adrian-test", "source.ip": "10.28.0.16", - "source.port": 58725 + "source.port": 58725, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:54:13.531Z", @@ -948,7 +990,10 @@ "source.geo.continent_name": "America", "source.geo.country_name": "usa", "source.ip": "192.0.2.114", - "source.port": 44666 + "source.port": 44666, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:54:13.551Z", @@ -1016,7 +1061,10 @@ "source.geo.continent_name": "America", "source.geo.country_name": "usa", "source.ip": "192.0.2.114", - "source.port": 44668 + "source.port": 44668, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:54:15.771Z", @@ -1079,7 +1127,10 @@ "source.geo.country_name": "nld", "source.geo.region_name": "Overijssel", "source.ip": "192.0.2.7", - "source.port": 1683 + "source.port": 1683, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:54:35.850Z", @@ -1147,7 +1198,10 @@ "source.geo.continent_name": "America", "source.geo.country_name": "usa", "source.ip": "192.0.2.114", - "source.port": 45068 + "source.port": 45068, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-11T12:54:35.850Z", @@ -1215,7 +1269,10 @@ "source.geo.continent_name": "America", "source.geo.country_name": "usa", "source.ip": "192.0.2.114", - "source.port": 45062 + "source.port": 45062, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-11-06T16:41:38.394Z", @@ -1282,6 +1339,9 @@ "source.address": "10.42.0.10", "source.domain": "test-es", "source.ip": "10.42.0.10", - "source.port": 57794 + "source.port": 57794, + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml b/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml index 010ec42bc35..cf89526bbe5 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml @@ -21,6 +21,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml b/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml index 6c2ec7c1da3..3ddb0800223 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml @@ -13,6 +13,9 @@ var: - name: credentials_json - name: keep_original_message default: false + - name: tags + default: [forwarded] + ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json index 203a89dcd2e..9a71b1c35a6 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json @@ -48,7 +48,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -106,7 +109,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 68, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -164,7 +170,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 78, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -216,7 +225,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 1, - "source.port": 22 + "source.port": 22, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -267,7 +279,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -318,7 +333,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.117", "source.packets": 7, - "source.port": 50646 + "source.port": 50646, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -376,7 +394,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 251, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -434,7 +455,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 92, - "source.port": 33880 + "source.port": 33880, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -492,7 +516,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 247, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -550,7 +577,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 63, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -602,7 +632,10 @@ "source.geo.region_name": "Saint Petersburg", "source.ip": "192.0.2.23", "source.packets": 3, - "source.port": 59679 + "source.port": 59679, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -660,7 +693,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 94, - "source.port": 33576 + "source.port": 33576, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -718,7 +754,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 356, - "source.port": 33562 + "source.port": 33562, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -776,7 +815,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 361, - "source.port": 33692 + "source.port": 33692, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -834,7 +876,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 360, - "source.port": 33542 + "source.port": 33542, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -892,7 +937,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 99, - "source.port": 33970 + "source.port": 33970, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -940,7 +988,10 @@ "source.bytes": 34509840, "source.ip": "203.0.113.93", "source.packets": 8690, - "source.port": 9243 + "source.port": 9243, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -991,7 +1042,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.12", "source.packets": 7, - "source.port": 34836 + "source.port": 34836, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1049,7 +1103,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 367, - "source.port": 33554 + "source.port": 33554, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1102,7 +1159,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 608, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1160,7 +1220,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 258, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1208,7 +1271,10 @@ "source.domain": "simianhacker-demo", "source.ip": "10.49.136.133", "source.packets": 44438, - "source.port": 46864 + "source.port": 46864, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1259,7 +1325,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.12", "source.packets": 7, - "source.port": 33478 + "source.port": 33478, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1317,7 +1386,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 241, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1370,7 +1442,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 732, - "source.port": 65320 + "source.port": 65320, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1428,7 +1503,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 246, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1486,7 +1564,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 340, - "source.port": 33548 + "source.port": 33548, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1537,7 +1618,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1590,7 +1674,10 @@ "source.geo.region_name": "Vinh Phuc Province", "source.ip": "192.0.2.165", "source.packets": 18, - "source.port": 59623 + "source.port": 59623, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1648,7 +1735,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 363, - "source.port": 33552 + "source.port": 33552, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1699,7 +1789,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.107", "source.packets": 7, - "source.port": 33924 + "source.port": 33924, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1757,7 +1850,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 260, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1815,7 +1911,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 265, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1868,7 +1967,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 607, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1926,7 +2028,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 356, - "source.port": 33534 + "source.port": 33534, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1984,7 +2089,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 735, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2035,7 +2143,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2088,7 +2199,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 594, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2146,7 +2260,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 58, - "source.port": 33524 + "source.port": 33524, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2204,7 +2321,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 130, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2262,7 +2382,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 250, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2320,7 +2443,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 37, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2378,7 +2504,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 237, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2436,7 +2565,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 353, - "source.port": 33694 + "source.port": 33694, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2487,7 +2619,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2540,7 +2675,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 605, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2591,7 +2729,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.117", "source.packets": 7, - "source.port": 33862 + "source.port": 33862, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2644,7 +2785,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 737, - "source.port": 65321 + "source.port": 65321, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2697,7 +2841,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 600, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2755,7 +2902,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.101", "source.packets": 949, - "source.port": 49680 + "source.port": 49680, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2813,7 +2963,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.177", "source.packets": 227, - "source.port": 60112 + "source.port": 60112, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2871,7 +3024,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 270, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2924,7 +3080,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 709, - "source.port": 65316 + "source.port": 65316, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2977,7 +3136,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 728, - "source.port": 65263 + "source.port": 65263, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3028,7 +3190,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.117", "source.packets": 7, - "source.port": 50438 + "source.port": 50438, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3079,7 +3244,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3132,7 +3300,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 11, - "source.port": 22 + "source.port": 22, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3190,7 +3361,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 353, - "source.port": 33558 + "source.port": 33558, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3248,7 +3422,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 354, - "source.port": 33548 + "source.port": 33548, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3301,7 +3478,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 717, - "source.port": 65271 + "source.port": 65271, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3352,7 +3532,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.12", "source.packets": 7, - "source.port": 34178 + "source.port": 34178, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3403,7 +3586,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.107", "source.packets": 7, - "source.port": 33602 + "source.port": 33602, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3461,7 +3647,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 366, - "source.port": 33554 + "source.port": 33554, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3512,7 +3701,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3563,7 +3755,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.27", "source.packets": 7, - "source.port": 52454 + "source.port": 52454, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3621,7 +3816,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 251, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3672,7 +3870,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3730,7 +3931,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 361, - "source.port": 33530 + "source.port": 33530, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3788,7 +3992,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 366, - "source.port": 33556 + "source.port": 33556, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3846,7 +4053,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 86, - "source.port": 33570 + "source.port": 33570, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3904,7 +4114,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 247, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3955,7 +4168,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4013,7 +4229,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 118, - "source.port": 33858 + "source.port": 33858, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4064,7 +4283,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.107", "source.packets": 7, - "source.port": 33064 + "source.port": 33064, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4122,7 +4344,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 251, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4173,7 +4398,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.27", "source.packets": 7, - "source.port": 53706 + "source.port": 53706, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4224,7 +4452,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.27", "source.packets": 7, - "source.port": 52260 + "source.port": 52260, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4275,7 +4506,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4326,7 +4560,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4377,7 +4614,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4428,7 +4668,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.107", "source.packets": 7, - "source.port": 34906 + "source.port": 34906, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4479,7 +4722,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4537,7 +4783,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 361, - "source.port": 33534 + "source.port": 33534, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4595,7 +4844,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 358, - "source.port": 33510 + "source.port": 33510, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4646,7 +4898,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.12", "source.packets": 7, - "source.port": 58216 + "source.port": 58216, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4704,7 +4959,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 243, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4755,7 +5013,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4806,7 +5067,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4857,7 +5121,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.27", "source.packets": 7, - "source.port": 34090 + "source.port": 34090, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4915,7 +5182,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 246, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4973,7 +5243,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 71, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -5031,7 +5304,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 75, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5089,7 +5365,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 249, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5147,7 +5426,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 357, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5205,7 +5487,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 242, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5263,7 +5548,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 244, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5321,7 +5609,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.177", "source.packets": 708, - "source.port": 60108 + "source.port": 60108, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5379,7 +5670,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 74, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5437,7 +5731,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 95, - "source.port": 33968 + "source.port": 33968, + "tags": [ + "forwarded" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5495,6 +5792,9 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 351, - "source.port": 33590 + "source.port": 33590, + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/config/input.yml b/x-pack/filebeat/module/o365/audit/config/input.yml index 71e9c9c59f3..061d0f532af 100644 --- a/x-pack/filebeat/module/o365/audit/config/input.yml +++ b/x-pack/filebeat/module/o365/audit/config/input.yml @@ -36,6 +36,8 @@ exclude_files: [".gz$"] json.add_error_key: true {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: {{ if eq .input "file" }} diff --git a/x-pack/filebeat/module/o365/audit/manifest.yml b/x-pack/filebeat/module/o365/audit/manifest.yml index a00b9626619..572e770c1e8 100644 --- a/x-pack/filebeat/module/o365/audit/manifest.yml +++ b/x-pack/filebeat/module/o365/audit/manifest.yml @@ -11,6 +11,9 @@ var: - name: tenants - name: content_type - name: api + - name: tags + default: [forwarded] + ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json index 43ed055dad6..1fbe5afbaf7 100644 --- a/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json @@ -38,6 +38,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -92,6 +95,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -146,6 +152,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -187,6 +196,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -228,6 +240,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -270,6 +285,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -313,6 +331,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -354,6 +375,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -408,6 +432,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -462,6 +489,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -504,6 +534,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -558,6 +591,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -612,6 +648,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -666,6 +705,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -720,6 +762,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -774,6 +819,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -828,6 +876,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -869,6 +920,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -911,6 +965,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -953,6 +1010,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -994,6 +1054,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1036,6 +1099,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1090,6 +1156,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1144,6 +1213,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1198,6 +1270,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1252,6 +1327,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1306,6 +1384,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1360,6 +1441,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1414,6 +1498,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1468,6 +1555,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1524,6 +1614,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1578,6 +1671,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1632,6 +1728,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1686,6 +1785,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1740,6 +1842,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1794,6 +1899,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1848,6 +1956,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1902,6 +2013,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1956,6 +2070,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2010,6 +2127,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2061,6 +2181,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2104,6 +2227,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2146,6 +2272,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2188,6 +2317,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2230,6 +2362,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2286,6 +2421,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2340,6 +2478,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2394,6 +2535,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2448,6 +2592,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2502,6 +2649,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2556,6 +2706,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2610,6 +2763,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2664,6 +2820,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2718,6 +2877,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2772,6 +2934,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2826,6 +2991,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2880,6 +3048,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2923,6 +3094,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2966,6 +3140,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3020,6 +3197,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3074,6 +3254,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3117,6 +3300,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3158,6 +3344,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3214,6 +3403,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3268,6 +3460,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3322,6 +3517,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3376,6 +3574,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3430,6 +3631,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3484,6 +3688,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3538,6 +3745,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3592,6 +3802,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3634,6 +3847,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3677,6 +3893,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3719,6 +3938,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3762,6 +3984,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3803,6 +4028,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3846,6 +4074,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3887,6 +4118,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3930,6 +4164,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3984,6 +4221,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4038,6 +4278,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4092,6 +4335,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4146,6 +4392,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4200,6 +4449,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4254,6 +4506,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4308,6 +4563,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4362,6 +4620,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4405,6 +4666,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4459,6 +4723,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4513,6 +4780,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4555,6 +4825,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4609,6 +4882,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4650,6 +4926,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4693,6 +4972,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4744,6 +5026,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4798,6 +5083,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4841,6 +5129,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4895,6 +5186,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4951,6 +5245,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -5005,6 +5302,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json index 525e9dcf362..7c530b3de40 100644 --- a/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json @@ -55,6 +55,9 @@ "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -114,6 +117,9 @@ "server.address": "DB3PR0102MB3500 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -173,6 +179,9 @@ "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -232,6 +241,9 @@ "server.address": "DB3PR0102MB3500 (15.20.2729.032)", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -291,6 +303,9 @@ "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -350,6 +365,9 @@ "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -409,6 +427,9 @@ "server.address": "DB3PR0102MB3500 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -468,6 +489,9 @@ "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -527,6 +551,9 @@ "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "forwarded" + ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" } diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 93b5869d874..650bbe92b0c 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -52,6 +52,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -116,6 +119,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -180,6 +186,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -244,6 +253,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index feaff17cf4c..f77a0237b08 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -59,6 +59,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -131,6 +134,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -203,6 +209,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -275,6 +284,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -348,6 +360,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -420,6 +435,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -492,6 +510,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -565,6 +586,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -637,6 +661,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -709,6 +736,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -781,6 +811,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json index 8c4c7233407..e0dfc8ff9b8 100644 --- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json @@ -134,6 +134,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -273,6 +276,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -412,6 +418,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -562,6 +571,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -712,6 +724,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -869,6 +884,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1026,6 +1044,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1183,6 +1204,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1340,6 +1364,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1497,6 +1524,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1654,6 +1684,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1811,6 +1844,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1968,6 +2004,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2125,6 +2164,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2282,6 +2324,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2439,6 +2484,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2596,6 +2644,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2753,6 +2804,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2892,6 +2946,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3031,6 +3088,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3181,6 +3241,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3320,6 +3383,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3459,6 +3525,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3598,6 +3667,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3748,6 +3820,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3905,6 +3980,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4062,6 +4140,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4219,6 +4300,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4376,6 +4460,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4533,6 +4620,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4690,6 +4780,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4847,6 +4940,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5004,6 +5100,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5162,6 +5261,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5320,6 +5422,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5445,6 +5550,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "fim_password_service", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "support.onmicrosoft.com", "user.id": "fim_password_service@support.onmicrosoft.com", "user.name": "fim_password_service" @@ -5602,6 +5710,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5759,6 +5870,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5916,6 +6030,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6073,6 +6190,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6230,6 +6350,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6387,6 +6510,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6544,6 +6670,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6701,6 +6830,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6858,6 +6990,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7015,6 +7150,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7172,6 +7310,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7329,6 +7470,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7486,6 +7630,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7643,6 +7790,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7800,6 +7950,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7958,6 +8111,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8116,6 +8272,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8273,6 +8432,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8430,6 +8592,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8587,6 +8752,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8744,6 +8912,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8901,6 +9072,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9058,6 +9232,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9215,6 +9392,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9372,6 +9552,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9529,6 +9712,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9668,6 +9854,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9807,6 +9996,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9946,6 +10138,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10085,6 +10280,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10234,6 +10432,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10384,6 +10585,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10534,6 +10738,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10684,6 +10891,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10834,6 +11044,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10971,6 +11184,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11110,6 +11326,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11249,6 +11468,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11399,6 +11621,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11549,6 +11774,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11699,6 +11927,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11838,6 +12069,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11977,6 +12211,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12116,6 +12353,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12266,6 +12506,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12416,6 +12659,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12566,6 +12812,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12723,6 +12972,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12880,6 +13132,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13037,6 +13292,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13194,6 +13452,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13351,6 +13612,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13508,6 +13772,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13665,6 +13932,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13822,6 +14092,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13979,6 +14252,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14136,6 +14412,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14293,6 +14572,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14451,6 +14733,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14609,6 +14894,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14767,6 +15055,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14922,6 +15213,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -15077,6 +15371,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -15232,6 +15529,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" diff --git a/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json index 8d1e8e5a328..5fbd3a96c71 100644 --- a/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json @@ -76,6 +76,9 @@ "rule.id": "c5981414-9f1f-4275-a2df-2fbfb1d03795", "rule.name": "Low volume of content detected U.S. Financial", "service.type": "o365", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -167,6 +170,9 @@ "rule.id": "7503b92a-67c2-494b-8a46-57ef0d738886", "rule.name": "High volume of content detected U.S. Financial", "service.type": "o365", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -254,6 +260,9 @@ "rule.id": "c5981414-9f1f-4275-a2df-2fbfb1d03795", "rule.name": "Low volume of content detected U.S. Financial", "service.type": "o365", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -345,6 +354,9 @@ "rule.id": "7503b92a-67c2-494b-8a46-57ef0d738886", "rule.name": "High volume of content detected U.S. Financial", "service.type": "o365", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -436,6 +448,9 @@ "rule.id": "bc4d376f-b038-4695-9362-609d32f963cf", "rule.name": "High volume of content detected France Financial", "service.type": "o365", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -527,6 +542,9 @@ "rule.id": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", "rule.name": "Low volume of content detected France Financial", "service.type": "o365", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "user.domain": "testsiem2.onmicrosoft.com", "user.id": "alice@testsiem2.onmicrosoft.com", @@ -618,6 +636,9 @@ "rule.id": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", "rule.name": "Low volume of content detected France Financial", "service.type": "o365", + "tags": [ + "forwarded" + ], "url.original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "user.domain": "testsiem2.onmicrosoft.com", "user.id": "alice@testsiem2.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json index 2a245f64168..dd3364f133f 100644 --- a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json @@ -143,6 +143,9 @@ ], "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "forwarded" + ], "user.id": "DlpAgent" }, { @@ -289,6 +292,9 @@ ], "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "forwarded" + ], "user.id": "DlpAgent" }, { @@ -436,6 +442,9 @@ ], "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "forwarded" + ], "user.id": "DlpAgent" }, { @@ -583,6 +592,9 @@ ], "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "forwarded" + ], "user.id": "DlpAgent" }, { @@ -680,6 +692,9 @@ "rule.name": "Low volume of content detected test", "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "forwarded" + ], "user.id": "DlpAgent" }, { @@ -772,6 +787,9 @@ "rule.id": "8398c03a-a00d-42bb-8f80-ead0ad04e1df", "rule.name": "Low volume of content detected test", "service.type": "o365", + "tags": [ + "forwarded" + ], "url.original": "https://example.net/testsiem2.onmicrosoft.com/sharepoint", "user.domain": "testsiem2.onmicrosoft.com", "user.id": "alice@testsiem2.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index 399814ae9a0..190e2185584 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -39,6 +39,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -86,6 +89,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -133,6 +139,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -180,6 +189,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -227,6 +239,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -289,6 +304,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -359,6 +377,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -430,6 +451,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -501,6 +525,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -572,6 +599,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 948359f11ca..a71438525e9 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -81,6 +81,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -174,6 +177,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -267,6 +273,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -360,6 +369,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -453,6 +465,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -546,6 +561,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -639,6 +657,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -732,6 +753,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -825,6 +849,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -918,6 +945,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1011,6 +1041,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1104,6 +1137,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1197,6 +1233,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1290,6 +1329,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1380,6 +1422,9 @@ "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1473,6 +1518,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1566,6 +1614,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1656,6 +1707,9 @@ "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1749,6 +1803,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1842,6 +1899,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1935,6 +1995,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2028,6 +2091,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2121,6 +2187,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2214,6 +2283,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2307,6 +2379,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2400,6 +2475,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2493,6 +2571,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2586,6 +2667,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2679,6 +2763,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2771,6 +2858,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2865,6 +2955,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2948,6 +3041,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -3039,6 +3135,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3122,6 +3221,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -3214,6 +3316,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3297,6 +3402,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -3389,6 +3497,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3482,6 +3593,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3575,6 +3689,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3658,6 +3775,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -3750,6 +3870,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3840,6 +3963,9 @@ "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3933,6 +4059,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4026,6 +4155,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4109,6 +4241,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -4200,6 +4335,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4293,6 +4431,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4386,6 +4527,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4479,6 +4623,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4572,6 +4719,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4665,6 +4815,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4758,6 +4911,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4851,6 +5007,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4944,6 +5103,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5037,6 +5199,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5130,6 +5295,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5223,6 +5391,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5316,6 +5487,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5406,6 +5580,9 @@ "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5499,6 +5676,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5592,6 +5772,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5685,6 +5868,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5778,6 +5964,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5871,6 +6060,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5964,6 +6156,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -6057,6 +6252,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -6150,6 +6348,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -6243,6 +6444,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -6336,6 +6540,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json index d0ed002d522..4bd20443e07 100644 --- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json @@ -54,6 +54,9 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "source.port": "12345", + "tags": [ + "forwarded" + ], "user.email": "alice@testsiem2.onmicrosoft.com", "user.id": "36787265537" }, @@ -103,6 +106,9 @@ "service.type": "o365", "source.ip": "fdfd::555", "source.port": "12346", + "tags": [ + "forwarded" + ], "user.email": "asr@testsiem2.onmicrosoft.com", "user.id": "36085768193" } diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json index 40e3e3dd3ad..c3435f152d6 100644 --- a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json @@ -29,6 +29,9 @@ "o365.audit.Workload": "MicrosoftTeams", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Application" }, { @@ -85,6 +88,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "asr", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -128,6 +134,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "asr", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -162,6 +171,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "bob", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "bob@testsiem.onmicrosoft.com", "user.name": "bob" diff --git a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json index beee3341761..fd05be0b044 100644 --- a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json @@ -57,6 +57,9 @@ ], "rule.ruleset": "User", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -108,6 +111,9 @@ "rule.name": "Elevation of Exchange admin privilege", "rule.reference": "http://example.net/single", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "SecurityComplianceAlerts" }, { @@ -159,6 +165,9 @@ "rule.name": "Phony Malware Alert", "rule.ruleset": "MalwareFamily", "service.type": "o365", + "tags": [ + "forwarded" + ], "threat.technique.id": "Malware/Evil.Malware.B", "user.id": "SecurityComplianceAlerts" } diff --git a/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json index 3ea637aee91..0f4b914b993 100644 --- a/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json @@ -28,6 +28,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" }, { @@ -59,6 +62,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" }, { @@ -90,6 +96,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" }, { @@ -121,6 +130,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" }, { @@ -152,6 +164,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" }, { @@ -183,6 +198,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" }, { @@ -214,6 +232,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" }, { @@ -245,6 +266,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" }, { @@ -276,6 +300,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "forwarded" + ], "user.id": "Service Account" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/okta/system/config/input.yml b/x-pack/filebeat/module/okta/system/config/input.yml index 79181de3c56..cf646175059 100644 --- a/x-pack/filebeat/module/okta/system/config/input.yml +++ b/x-pack/filebeat/module/okta/system/config/input.yml @@ -25,6 +25,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - script: diff --git a/x-pack/filebeat/module/okta/system/manifest.yml b/x-pack/filebeat/module/okta/system/manifest.yml index 639a4c95c80..b5dc38bc55c 100644 --- a/x-pack/filebeat/module/okta/system/manifest.yml +++ b/x-pack/filebeat/module/okta/system/manifest.yml @@ -46,6 +46,8 @@ var: - name: ssl default: |- {} + - name: tags + default: [forwarded] input: config/input.yml ingest_pipeline: ingest/pipeline.yml diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index 5406413e333..c85eeff2148 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -62,6 +62,9 @@ "source.ip": "108.255.197.247", "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", + "tags": [ + "forwarded" + ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", @@ -134,6 +137,9 @@ "source.ip": "108.255.197.247", "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", + "tags": [ + "forwarded" + ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", @@ -221,6 +227,9 @@ "source.ip": "108.255.197.247", "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", + "tags": [ + "forwarded" + ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 2ce806d6b4c..8cf62c795ab 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -15,7 +15,15 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: Palo Alto Networks + product: PAN-OS + type: firewall processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml index 4c356d65080..36f901c2845 100644 --- a/x-pack/filebeat/module/panw/panos/manifest.yml +++ b/x-pack/filebeat/module/panw/panos/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/pan-os.log - name: tags - default: [pan-os] + default: [pan-os, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index 7e4de9af8ca..08d6f6219e4 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -54,7 +54,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -91,7 +94,8 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index 83f4b832745..6f61cf168de 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -47,7 +47,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -83,7 +86,8 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lorexx.cn/loader.exe" }, @@ -135,7 +139,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -171,7 +178,8 @@ "source.port": 59313, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/count.php?o=2" }, @@ -223,7 +231,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -259,7 +270,8 @@ "source.port": 59314, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/count.php?o=5" }, @@ -311,7 +323,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -347,7 +362,8 @@ "source.port": 59315, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/count.php?o=7" }, @@ -399,7 +415,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -435,7 +454,8 @@ "source.port": 59316, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122" }, @@ -487,7 +507,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -523,7 +546,8 @@ "source.port": 59317, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122" }, @@ -575,7 +599,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -611,7 +638,8 @@ "source.port": 59302, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "liteautobestguide.cn/load.php" }, @@ -663,7 +691,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -699,7 +730,8 @@ "source.port": 59301, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "liteautobestguide.cn/index.php" }, @@ -751,7 +783,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -787,7 +822,8 @@ "source.port": 59303, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "litetopdetect.cn/index.php" }, @@ -839,7 +875,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -875,7 +914,8 @@ "source.port": 59304, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513" }, @@ -927,7 +967,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -963,7 +1006,8 @@ "source.port": 59297, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "girlteenxxxfreemov.com/" }, @@ -1015,7 +1059,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1051,7 +1098,8 @@ "source.port": 59299, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "imagesrepository.com/resolution.php" }, @@ -1103,7 +1151,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1139,7 +1190,8 @@ "source.port": 59298, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "hottestfiles.com/search/search.php?q=xxx" }, @@ -1190,7 +1242,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1226,7 +1281,8 @@ "source.port": 59300, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "infodist1.com/in.cgi?11¶meter=404" }, @@ -1278,7 +1334,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1314,7 +1373,8 @@ "source.port": 59295, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "cls-softwares.com/suc.php" }, @@ -1366,7 +1426,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1402,7 +1465,8 @@ "source.port": 59291, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "cls-softwares.com/softwarefortubeview.40013.exe" }, @@ -1450,7 +1514,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1486,7 +1553,8 @@ "source.port": 59296, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "findmorepill.com/klik/search.php?q=xxx" }, @@ -1538,7 +1606,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1574,7 +1645,8 @@ "source.port": 59280, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "allowedwebsurfing.com/" }, @@ -1626,7 +1698,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1662,7 +1737,8 @@ "source.port": 59281, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "antivirus-remote.com/" }, @@ -1714,7 +1790,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1750,7 +1829,8 @@ "source.port": 59282, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "bklinkov.ru/hi/start.cfg" }, @@ -1802,7 +1882,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1838,7 +1921,8 @@ "source.port": 59290, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "blogsexnakedgirlxxx.com/" }, @@ -1890,7 +1974,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1926,7 +2013,8 @@ "source.port": 59286, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "bklinkov.ru/hi/start.exe" }, @@ -1978,7 +2066,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2014,7 +2105,8 @@ "source.port": 59275, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2066,7 +2158,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2102,7 +2197,8 @@ "source.port": 59277, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2154,7 +2250,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2190,7 +2289,8 @@ "source.port": 59276, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2242,7 +2342,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2278,7 +2381,8 @@ "source.port": 59278, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2330,7 +2434,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2366,7 +2473,8 @@ "source.port": 59279, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2418,7 +2526,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2454,7 +2565,8 @@ "source.port": 59271, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2506,7 +2618,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2542,7 +2657,8 @@ "source.port": 59269, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2594,7 +2710,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2630,7 +2749,8 @@ "source.port": 59270, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2682,7 +2802,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2718,7 +2841,8 @@ "source.port": 59274, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2770,7 +2894,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2806,7 +2933,8 @@ "source.port": 59273, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2858,7 +2986,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2894,7 +3025,8 @@ "source.port": 59272, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2942,7 +3074,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2978,7 +3113,8 @@ "source.port": 59261, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "wantfinest.com/tds/in.cgi?default" }, @@ -3026,7 +3162,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3062,7 +3201,8 @@ "source.port": 59248, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "sameshitasiteverwas.com/traf/tds/in.cgi?2" }, @@ -3110,7 +3250,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3146,7 +3289,8 @@ "source.port": 59251, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "svarkon.ru/update.exe" }, @@ -3197,7 +3341,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3233,7 +3380,8 @@ "source.port": 59244, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "onlinescanxpp.com/land/eurl/1.php?code=" }, @@ -3281,7 +3429,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3317,7 +3468,8 @@ "source.port": 59237, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6" }, @@ -3365,7 +3517,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3401,7 +3556,8 @@ "source.port": 59238, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "nolagtime.com/gwc.txt" }, @@ -3452,7 +3608,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3488,7 +3647,8 @@ "source.port": 59010, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "karavan.us/bon/index.php" }, @@ -3536,7 +3696,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3572,7 +3735,8 @@ "source.port": 58969, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "findnolimits.com/go.php?sid=1" }, @@ -3620,7 +3784,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3656,7 +3823,8 @@ "source.port": 58941, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "bizoplata.ru/moun.html" }, @@ -3704,7 +3872,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3740,7 +3911,8 @@ "source.port": 58942, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "bizoplata.ru/palast.html" }, @@ -3779,7 +3951,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "drop-all-packets", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3824,7 +3999,8 @@ "source.ip": "204.232.231.46", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "controller.php" }, @@ -3875,7 +4051,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3911,7 +4090,8 @@ "source.port": 58856, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "www.15min.it/" }, @@ -3959,7 +4139,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3995,7 +4178,8 @@ "source.port": 58847, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "tubemov.com/" }, @@ -4043,7 +4227,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4079,7 +4266,8 @@ "source.port": 58841, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js" }, @@ -4127,7 +4315,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4163,7 +4354,8 @@ "source.port": 58795, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "movfree.com/" }, @@ -4214,7 +4406,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4250,7 +4445,8 @@ "source.port": 58753, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "gometascan.com/" }, @@ -4301,7 +4497,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4337,7 +4536,8 @@ "source.port": 58708, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe" }, @@ -4388,7 +4588,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4424,7 +4627,8 @@ "source.port": 58707, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N" }, @@ -4475,7 +4679,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "1606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4511,7 +4718,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "basdzsdas.com/poker/config.bin" }, @@ -4562,7 +4770,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "1606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4598,7 +4809,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "basdzsdas.com/poker/config.bin" }, @@ -4640,7 +4852,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "1606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4685,7 +4900,8 @@ "source.ip": "173.236.179.57", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "uLLGRaXP.exe" }, @@ -4736,7 +4952,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "1606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4772,7 +4991,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "basdzsdas.com/poker/config.bin" }, @@ -4814,7 +5034,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4859,7 +5082,8 @@ "source.ip": "91.209.163.202", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "FunkyEmoticons_setup.exe" }, @@ -4901,7 +5125,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4945,7 +5172,8 @@ "source.ip": "122.226.169.183", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "52hxw.exe" }, @@ -4996,7 +5224,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5032,7 +5263,8 @@ "source.port": 63007, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "softsellfast.com/test/config.bin" }, @@ -5074,7 +5306,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5116,7 +5351,8 @@ "source.ip": "109.201.131.15", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "setup.exe" }, @@ -5158,7 +5394,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5203,7 +5442,8 @@ "source.ip": "91.209.163.202", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "Live-Player_setup.exe" }, @@ -5251,7 +5491,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5287,7 +5530,8 @@ "source.port": 59709, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "boialex.narod.ru/config.txt" }, @@ -5335,7 +5579,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5371,7 +5618,8 @@ "source.port": 59721, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "edw-melon.narod.ru/config.txt" }, @@ -5419,7 +5667,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5455,7 +5706,8 @@ "source.port": 59752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "maximtushin.narod.ru/config.txt" }, @@ -5497,7 +5749,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5542,7 +5797,8 @@ "source.ip": "173.236.179.57", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "uLLGRaXP.exe" }, @@ -5593,7 +5849,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5629,7 +5888,8 @@ "source.port": 63183, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "marketingsoluchion.biz/fkn/config.bin" }, @@ -5680,7 +5940,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5716,7 +5979,8 @@ "source.port": 1047, "source.user.name": "jordy", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "default.aspx" }, @@ -5758,7 +6022,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5803,7 +6070,8 @@ "source.ip": "65.54.161.34", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "sck.aspx" }, @@ -5845,7 +6113,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5890,7 +6161,8 @@ "source.ip": "65.55.5.231", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "ADSAdClient31.dll" }, @@ -5941,7 +6213,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5977,7 +6252,8 @@ "source.port": 1048, "source.user.name": "jordy", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "c.gif" }, @@ -6019,7 +6295,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6061,7 +6340,8 @@ "source.ip": "74.125.239.17", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "csi" }, @@ -6109,7 +6389,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6145,7 +6428,8 @@ "source.port": 57502, "source.user.name": "picard", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "internal-tuner.pandora.com" }, @@ -6187,7 +6471,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6229,7 +6516,8 @@ "source.ip": "74.125.224.198", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6271,7 +6559,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6316,7 +6607,8 @@ "source.ip": "188.190.124.75", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "about.exe" }, @@ -6358,7 +6650,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6400,7 +6695,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6442,7 +6738,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6484,7 +6783,8 @@ "source.ip": "74.125.239.3", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6526,7 +6826,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6568,7 +6871,8 @@ "source.ip": "74.125.239.3", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6610,7 +6914,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6652,7 +6959,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6700,7 +7008,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6736,7 +7047,8 @@ "source.port": 52366, "source.user.name": "picard", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "__utm.gif" }, @@ -6778,7 +7090,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6820,7 +7135,8 @@ "source.ip": "74.125.224.193", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6862,7 +7178,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6904,7 +7223,8 @@ "source.ip": "74.125.239.20", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "nav_logo107.png" }, @@ -6946,7 +7266,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6988,7 +7311,8 @@ "source.ip": "208.80.154.225", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "Eadweard_Muybridge" }, @@ -7030,7 +7354,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7072,7 +7399,8 @@ "source.ip": "208.80.154.234", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "load.php" }, @@ -7114,7 +7442,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7159,7 +7490,8 @@ "source.ip": "65.54.75.25", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "8fe44cb728c0f40750c64ee906eb72.css" }, @@ -7201,7 +7533,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7243,7 +7578,8 @@ "source.ip": "74.125.224.206", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7285,7 +7621,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7327,7 +7666,8 @@ "source.ip": "74.125.224.195", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7369,7 +7709,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7414,7 +7757,8 @@ "source.ip": "207.178.96.34", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "appcast.xml" }, @@ -7456,7 +7800,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7498,7 +7845,8 @@ "source.ip": "74.125.224.195", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7540,7 +7888,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7582,7 +7933,8 @@ "source.ip": "74.125.239.20", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "csi" }, @@ -7624,7 +7976,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7669,7 +8024,8 @@ "source.ip": "66.152.109.24", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "index.php" }, @@ -7711,7 +8067,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7753,7 +8112,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7801,7 +8161,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7837,7 +8200,8 @@ "source.port": 49681, "source.user.name": "picard", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "__utm.gif" }, @@ -7879,7 +8243,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7921,7 +8288,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7963,7 +8331,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8005,7 +8376,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8053,7 +8425,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8089,7 +8464,8 @@ "source.port": 59781, "source.user.name": "jordy", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "internal-tuner.pandora.com" }, @@ -8131,7 +8507,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8173,7 +8552,8 @@ "source.ip": "74.125.224.201", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8215,7 +8595,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8257,7 +8640,8 @@ "source.ip": "74.125.224.201", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8299,7 +8683,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8341,7 +8728,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8383,7 +8771,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8425,7 +8816,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8467,7 +8859,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8509,7 +8904,8 @@ "source.ip": "74.125.224.198", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "ga.js" }, @@ -8551,7 +8947,10 @@ "observer.egress.zone": "trust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8593,7 +8992,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" } diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index 12149128bf6..11116597ea6 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -54,7 +54,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -91,7 +94,8 @@ "source.port": 59324, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -146,7 +150,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -183,7 +190,8 @@ "source.port": 54448, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -238,7 +246,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -275,7 +286,8 @@ "source.port": 53121, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -333,7 +345,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -370,7 +385,8 @@ "source.port": 59323, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -428,7 +444,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -465,7 +484,8 @@ "source.port": 59322, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -520,7 +540,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -557,7 +580,8 @@ "source.port": 55766, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -612,7 +636,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -649,7 +676,8 @@ "source.port": 55072, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -707,7 +735,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -744,7 +775,8 @@ "source.port": 59207, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -802,7 +834,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -839,7 +874,8 @@ "source.port": 59209, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -897,7 +933,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -934,7 +973,8 @@ "source.port": 59208, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -992,7 +1032,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1029,7 +1072,8 @@ "source.port": 59318, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1087,7 +1131,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1124,7 +1171,8 @@ "source.port": 59317, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1182,7 +1230,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1219,7 +1270,8 @@ "source.port": 59316, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1277,7 +1329,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1314,7 +1369,8 @@ "source.port": 59315, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1372,7 +1428,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1409,7 +1468,8 @@ "source.port": 59206, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1467,7 +1527,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1504,7 +1567,8 @@ "source.port": 59205, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1562,7 +1626,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1599,7 +1666,8 @@ "source.port": 56858, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1657,7 +1725,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1694,7 +1765,8 @@ "source.port": 59314, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1752,7 +1824,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1789,7 +1864,8 @@ "source.port": 59313, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1844,7 +1920,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1881,7 +1960,8 @@ "source.port": 52139, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1936,7 +2016,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1973,7 +2056,8 @@ "source.port": 60592, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2031,7 +2115,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2068,7 +2155,8 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2123,7 +2211,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2160,7 +2251,8 @@ "source.port": 57322, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2218,7 +2310,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2255,7 +2350,8 @@ "source.port": 59204, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2313,7 +2409,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2350,7 +2449,8 @@ "source.port": 59203, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2408,7 +2508,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2445,7 +2548,8 @@ "source.port": 59305, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2500,7 +2604,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2537,7 +2644,8 @@ "source.port": 64005, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2592,7 +2700,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2629,7 +2740,8 @@ "source.port": 58768, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2687,7 +2799,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2724,7 +2839,8 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2782,7 +2898,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2819,7 +2938,8 @@ "source.port": 59304, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2874,7 +2994,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2911,7 +3034,8 @@ "source.port": 54533, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2969,7 +3093,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3006,7 +3133,8 @@ "source.port": 59201, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3064,7 +3192,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3101,7 +3232,8 @@ "source.port": 59303, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3156,7 +3288,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3193,7 +3328,8 @@ "source.port": 50876, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3248,7 +3384,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3285,7 +3424,8 @@ "source.port": 57657, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3343,7 +3483,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3380,7 +3523,8 @@ "source.port": 59302, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3438,7 +3582,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3475,7 +3622,8 @@ "source.port": 59301, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3530,7 +3678,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3567,7 +3718,8 @@ "source.port": 64844, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3622,7 +3774,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3659,7 +3814,8 @@ "source.port": 52257, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3712,7 +3868,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3744,7 +3903,8 @@ "source.packets": 1, "source.port": 38796, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3799,7 +3959,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3836,7 +3999,8 @@ "source.port": 59200, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3892,7 +4056,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3924,7 +4091,8 @@ "source.packets": 10, "source.port": 48412, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3982,7 +4150,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4019,7 +4190,8 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4077,7 +4249,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4114,7 +4289,8 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4167,7 +4343,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4199,7 +4378,8 @@ "source.packets": 1, "source.port": 52189, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4257,7 +4437,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4294,7 +4477,8 @@ "source.port": 59300, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4349,7 +4533,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4386,7 +4573,8 @@ "source.port": 54414, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4444,7 +4632,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4481,7 +4672,8 @@ "source.port": 59299, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4536,7 +4728,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4573,7 +4768,8 @@ "source.port": 60399, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4628,7 +4824,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4665,7 +4864,8 @@ "source.port": 59626, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4720,7 +4920,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4757,7 +4960,8 @@ "source.port": 51542, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4812,7 +5016,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4849,7 +5056,8 @@ "source.port": 54182, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4904,7 +5112,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4941,7 +5152,8 @@ "source.port": 59199, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4999,7 +5211,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5036,7 +5251,8 @@ "source.port": 59198, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5094,7 +5310,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5131,7 +5350,8 @@ "source.port": 56856, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5186,7 +5406,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5223,7 +5446,8 @@ "source.port": 52489, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5281,7 +5505,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5318,7 +5545,8 @@ "source.port": 59298, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5373,7 +5601,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5410,7 +5641,8 @@ "source.port": 60185, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5465,7 +5697,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5502,7 +5737,8 @@ "source.port": 51817, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5560,7 +5796,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5597,7 +5836,8 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5655,7 +5895,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5692,7 +5935,8 @@ "source.port": 59297, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5747,7 +5991,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5784,7 +6031,8 @@ "source.port": 52537, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5839,7 +6087,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5876,7 +6127,8 @@ "source.port": 53155, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5931,7 +6183,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5968,7 +6223,8 @@ "source.port": 59197, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6023,7 +6279,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6060,7 +6319,8 @@ "source.port": 56995, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6115,7 +6375,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6152,7 +6415,8 @@ "source.port": 59069, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6207,7 +6471,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6244,7 +6511,8 @@ "source.port": 55697, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6302,7 +6570,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6339,7 +6610,8 @@ "source.port": 59295, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6394,7 +6666,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6431,7 +6706,8 @@ "source.port": 59196, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6489,7 +6765,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6526,7 +6805,8 @@ "source.port": 59291, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6581,7 +6861,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6618,7 +6901,8 @@ "source.port": 52858, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6673,7 +6957,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6710,7 +6997,8 @@ "source.port": 61383, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6768,7 +7056,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6805,7 +7096,8 @@ "source.port": 59290, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6860,7 +7152,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6897,7 +7192,8 @@ "source.port": 59195, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6952,7 +7248,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6989,7 +7288,8 @@ "source.port": 49812, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7044,7 +7344,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7081,7 +7384,8 @@ "source.port": 50185, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7139,7 +7443,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7176,7 +7483,8 @@ "source.port": 59286, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7225,7 +7533,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7262,7 +7573,8 @@ "source.port": 52531, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7320,7 +7632,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7357,7 +7672,8 @@ "source.port": 59194, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7415,7 +7731,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7452,7 +7771,8 @@ "source.port": 59192, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7501,7 +7821,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7538,7 +7861,8 @@ "source.port": 56463, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7587,7 +7911,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7624,7 +7951,8 @@ "source.port": 55849, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7682,7 +8010,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7719,7 +8050,8 @@ "source.port": 59282, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7774,7 +8106,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7811,7 +8146,8 @@ "source.port": 57846, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7866,7 +8202,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7903,7 +8242,8 @@ "source.port": 51008, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7961,7 +8301,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7998,7 +8341,8 @@ "source.port": 59281, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8053,7 +8397,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8090,7 +8437,8 @@ "source.port": 55252, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8139,7 +8487,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8176,7 +8527,8 @@ "source.port": 56995, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8231,7 +8583,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8268,7 +8623,8 @@ "source.port": 60989, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8326,7 +8682,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8363,7 +8722,8 @@ "source.port": 59280, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8418,7 +8778,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8455,7 +8818,8 @@ "source.port": 53766, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8510,7 +8874,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8547,7 +8914,8 @@ "source.port": 56032, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8602,7 +8970,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8639,7 +9010,8 @@ "source.port": 59193, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8697,7 +9069,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8734,7 +9109,8 @@ "source.port": 59279, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8792,7 +9168,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8829,7 +9208,8 @@ "source.port": 59278, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8887,7 +9267,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8924,7 +9307,8 @@ "source.port": 59277, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8973,7 +9357,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -9010,7 +9397,8 @@ "source.port": 60026, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9068,7 +9456,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -9105,7 +9496,8 @@ "source.port": 59276, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9163,7 +9555,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -9200,7 +9595,8 @@ "source.port": 59275, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9258,7 +9654,10 @@ "observer.egress.zone": "untrust", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -9295,7 +9694,8 @@ "source.port": 59274, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index dea8a330cad..40105c59295 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -51,7 +51,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -87,7 +90,8 @@ "source.nat.port": 37679, "source.port": 52984, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -143,7 +147,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -179,7 +186,8 @@ "source.nat.port": 28249, "source.port": 52983, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -235,7 +243,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -271,7 +282,8 @@ "source.nat.port": 63898, "source.port": 52986, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -327,7 +339,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -363,7 +378,8 @@ "source.nat.port": 7515, "source.port": 52985, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -419,7 +435,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -455,7 +474,8 @@ "source.nat.port": 3225, "source.port": 52987, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -511,7 +531,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -547,7 +570,8 @@ "source.nat.port": 60449, "source.port": 52988, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -603,7 +627,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -639,7 +666,8 @@ "source.nat.port": 60559, "source.port": 52990, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -695,7 +723,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -731,7 +762,8 @@ "source.nat.port": 47414, "source.port": 52989, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -787,7 +819,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -823,7 +858,8 @@ "source.nat.port": 37673, "source.port": 52992, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -879,7 +915,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -915,7 +954,8 @@ "source.nat.port": 8232, "source.port": 52991, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -971,7 +1011,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1007,7 +1050,8 @@ "source.nat.port": 32982, "source.port": 52994, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1063,7 +1107,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1099,7 +1146,8 @@ "source.nat.port": 10473, "source.port": 52993, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1155,7 +1203,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1191,7 +1242,8 @@ "source.nat.port": 20446, "source.port": 52995, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1247,7 +1299,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1283,7 +1338,8 @@ "source.nat.port": 34699, "source.port": 52996, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1339,7 +1395,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1375,7 +1434,8 @@ "source.nat.port": 22820, "source.port": 52997, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1431,7 +1491,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1467,7 +1530,8 @@ "source.nat.port": 41060, "source.port": 52998, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1523,7 +1587,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1559,7 +1626,8 @@ "source.nat.port": 9058, "source.port": 52999, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1615,7 +1683,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1651,7 +1722,8 @@ "source.nat.port": 54846, "source.port": 53001, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1707,7 +1779,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1743,7 +1818,8 @@ "source.nat.port": 52731, "source.port": 53002, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1799,7 +1875,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1835,7 +1914,8 @@ "source.nat.port": 15165, "source.port": 53003, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1891,7 +1971,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.137.131", @@ -1927,7 +2010,8 @@ "source.nat.port": 53918, "source.port": 53004, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "b.scorecardresearch.com/" }, @@ -1983,7 +2067,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2019,7 +2106,8 @@ "source.nat.port": 40792, "source.port": 53000, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2075,7 +2163,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2111,7 +2202,8 @@ "source.nat.port": 54044, "source.port": 53006, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2167,7 +2259,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2203,7 +2298,8 @@ "source.nat.port": 19544, "source.port": 53007, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2259,7 +2355,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2295,7 +2394,8 @@ "source.nat.port": 13462, "source.port": 53008, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2351,7 +2451,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2387,7 +2490,8 @@ "source.nat.port": 44892, "source.port": 53010, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2443,7 +2547,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2479,7 +2586,8 @@ "source.nat.port": 16487, "source.port": 53011, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2535,7 +2643,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2571,7 +2682,8 @@ "source.nat.port": 23952, "source.port": 53012, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2627,7 +2739,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2663,7 +2778,8 @@ "source.nat.port": 2810, "source.port": 53013, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2719,7 +2835,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2755,7 +2874,8 @@ "source.nat.port": 13272, "source.port": 53014, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2811,7 +2931,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2847,7 +2970,8 @@ "source.nat.port": 8663, "source.port": 53022, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2903,7 +3027,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2939,7 +3066,8 @@ "source.nat.port": 55738, "source.port": 53023, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2995,7 +3123,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -3031,7 +3162,8 @@ "source.nat.port": 10650, "source.port": 53024, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -3087,7 +3219,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -3123,7 +3258,8 @@ "source.nat.port": 44087, "source.port": 53025, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -3179,7 +3315,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -3215,7 +3354,8 @@ "source.nat.port": 15915, "source.port": 53026, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -3271,7 +3411,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "151.101.2.2", @@ -3307,7 +3450,8 @@ "source.nat.port": 41165, "source.port": 53041, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "cdn.taboola.com/" }, @@ -3366,7 +3510,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.192.7.152", @@ -3402,7 +3549,8 @@ "source.nat.port": 54133, "source.port": 53040, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "rules.quantcount.com/" }, @@ -3461,7 +3609,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3497,7 +3648,8 @@ "source.nat.port": 8485, "source.port": 53093, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3556,7 +3708,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3592,7 +3747,8 @@ "source.nat.port": 12496, "source.port": 53094, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3651,7 +3807,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3687,7 +3846,8 @@ "source.nat.port": 17029, "source.port": 53095, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3746,7 +3906,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3782,7 +3945,8 @@ "source.nat.port": 23696, "source.port": 53096, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3841,7 +4005,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3877,7 +4044,8 @@ "source.nat.port": 34769, "source.port": 53097, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3936,7 +4104,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3972,7 +4143,8 @@ "source.nat.port": 22486, "source.port": 53099, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4031,7 +4203,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -4067,7 +4242,8 @@ "source.nat.port": 12894, "source.port": 53100, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4126,7 +4302,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -4162,7 +4341,8 @@ "source.nat.port": 62348, "source.port": 53101, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4221,7 +4401,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -4257,7 +4440,8 @@ "source.nat.port": 6224, "source.port": 53104, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4316,7 +4500,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -4352,7 +4539,8 @@ "source.nat.port": 44120, "source.port": 53107, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4411,7 +4599,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -4447,7 +4638,8 @@ "source.nat.port": 44228, "source.port": 53108, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4506,7 +4698,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -4542,7 +4737,8 @@ "source.nat.port": 31322, "source.port": 53109, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4601,7 +4797,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.98", @@ -4637,7 +4836,8 @@ "source.nat.port": 1672, "source.port": 53118, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "www.googleadservices.com/" }, @@ -4693,7 +4893,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4729,7 +4932,8 @@ "source.nat.port": 20801, "source.port": 53126, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4785,7 +4989,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4821,7 +5028,8 @@ "source.nat.port": 24533, "source.port": 53127, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4877,7 +5085,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4913,7 +5124,8 @@ "source.nat.port": 30150, "source.port": 53128, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4969,7 +5181,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -5005,7 +5220,8 @@ "source.nat.port": 36305, "source.port": 53129, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5061,7 +5277,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -5097,7 +5316,8 @@ "source.nat.port": 42682, "source.port": 53130, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5153,7 +5373,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -5189,7 +5412,8 @@ "source.nat.port": 22530, "source.port": 53131, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5245,7 +5469,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -5281,7 +5508,8 @@ "source.nat.port": 43713, "source.port": 53132, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5337,7 +5565,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -5373,7 +5604,8 @@ "source.nat.port": 60608, "source.port": 53133, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5429,7 +5661,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -5465,7 +5700,8 @@ "source.nat.port": 9302, "source.port": 53134, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5521,7 +5757,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -5557,7 +5796,8 @@ "source.nat.port": 11634, "source.port": 53135, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5616,7 +5856,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5652,7 +5895,8 @@ "source.nat.port": 30818, "source.port": 53152, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5711,7 +5955,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5747,7 +5994,8 @@ "source.nat.port": 64260, "source.port": 53155, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5806,7 +6054,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5842,7 +6093,8 @@ "source.nat.port": 7071, "source.port": 53158, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5901,7 +6153,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5937,7 +6192,8 @@ "source.nat.port": 4512, "source.port": 53160, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5996,7 +6252,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6032,7 +6291,8 @@ "source.nat.port": 3422, "source.port": 53161, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6091,7 +6351,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6127,7 +6390,8 @@ "source.nat.port": 4651, "source.port": 53162, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6186,7 +6450,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6222,7 +6489,8 @@ "source.nat.port": 19068, "source.port": 53163, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6281,7 +6549,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6317,7 +6588,8 @@ "source.nat.port": 5831, "source.port": 53164, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6376,7 +6648,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6412,7 +6687,8 @@ "source.nat.port": 7084, "source.port": 53165, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6471,7 +6747,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6507,7 +6786,8 @@ "source.nat.port": 18633, "source.port": 53166, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6566,7 +6846,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6602,7 +6885,8 @@ "source.nat.port": 25557, "source.port": 53167, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6661,7 +6945,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6697,7 +6984,8 @@ "source.nat.port": 20661, "source.port": 53150, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6756,7 +7044,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6792,7 +7083,8 @@ "source.nat.port": 65438, "source.port": 53185, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6851,7 +7143,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6887,7 +7182,8 @@ "source.nat.port": 53101, "source.port": 53187, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6946,7 +7242,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6982,7 +7281,8 @@ "source.nat.port": 35463, "source.port": 53188, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -7041,7 +7341,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -7077,7 +7380,8 @@ "source.nat.port": 45769, "source.port": 53178, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" } diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index bb3e9809c3e..62c6b543cca 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -58,7 +58,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.253.152", @@ -95,7 +98,8 @@ "source.packets": 16, "source.port": 55113, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -157,7 +161,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -194,7 +201,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -259,7 +267,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "17.253.3.202", @@ -296,7 +307,8 @@ "source.packets": 6, "source.port": 55114, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -358,7 +370,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -395,7 +410,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -460,7 +476,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.99", @@ -497,7 +516,8 @@ "source.packets": 5, "source.port": 46774, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -559,7 +579,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "209.234.224.22", @@ -596,7 +619,8 @@ "source.packets": 62, "source.port": 52408, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -658,7 +682,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -695,7 +722,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -757,7 +785,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.2.238", @@ -794,7 +825,8 @@ "source.packets": 7, "source.port": 59190, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -856,7 +888,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -893,7 +928,8 @@ "source.packets": 1, "source.port": 49728, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -955,7 +991,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -992,7 +1031,8 @@ "source.packets": 1, "source.port": 50500, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1054,7 +1094,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "17.249.60.78", @@ -1091,7 +1134,8 @@ "source.packets": 16, "source.port": 55112, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1153,7 +1197,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1190,7 +1237,8 @@ "source.packets": 1, "source.port": 57632, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1252,7 +1300,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1289,7 +1340,8 @@ "source.packets": 1, "source.port": 50271, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1351,7 +1403,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1388,7 +1443,8 @@ "source.packets": 1, "source.port": 54061, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1450,7 +1506,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1487,7 +1546,8 @@ "source.packets": 1, "source.port": 52701, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1549,7 +1609,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1586,7 +1649,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1648,7 +1712,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1685,7 +1752,8 @@ "source.packets": 1, "source.port": 62503, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1747,7 +1815,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "98.138.49.44", @@ -1784,7 +1855,8 @@ "source.packets": 14, "source.port": 52442, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1846,7 +1918,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "72.30.3.43", @@ -1883,7 +1958,8 @@ "source.packets": 13, "source.port": 52441, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1945,7 +2021,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1982,7 +2061,8 @@ "source.packets": 2, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2044,7 +2124,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.9.142", @@ -2081,7 +2164,8 @@ "source.packets": 19, "source.port": 52355, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2143,7 +2227,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2180,7 +2267,8 @@ "source.packets": 1, "source.port": 50196, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2245,7 +2333,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.84.80.198", @@ -2282,7 +2373,8 @@ "source.packets": 13, "source.port": 52454, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2345,7 +2437,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.55.52", @@ -2382,7 +2477,8 @@ "source.packets": 8, "source.port": 52445, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2444,7 +2540,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2481,7 +2580,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2540,7 +2640,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2577,7 +2680,8 @@ "source.packets": 1, "source.port": 35485, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2636,7 +2740,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.9.142", @@ -2673,7 +2780,8 @@ "source.packets": 6, "source.port": 62730, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2735,7 +2843,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "151.101.2.2", @@ -2772,7 +2883,8 @@ "source.packets": 8, "source.port": 52506, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2837,7 +2949,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.66", @@ -2874,7 +2989,8 @@ "source.packets": 5, "source.port": 60596, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2936,7 +3052,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2973,7 +3092,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3035,7 +3155,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3072,7 +3195,8 @@ "source.packets": 2, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3134,7 +3258,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.253.193", @@ -3171,7 +3298,8 @@ "source.packets": 12, "source.port": 52514, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3233,7 +3361,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3270,7 +3401,8 @@ "source.packets": 1, "source.port": 55155, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3333,7 +3465,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.55.52", @@ -3370,7 +3505,8 @@ "source.packets": 1, "source.port": 52445, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3435,7 +3571,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.52.219", @@ -3472,7 +3611,8 @@ "source.packets": 11, "source.port": 52516, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3537,7 +3677,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.71.117.196", @@ -3574,7 +3717,8 @@ "source.packets": 19, "source.port": 52511, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3636,7 +3780,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3673,7 +3820,8 @@ "source.packets": 1, "source.port": 3018, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3735,7 +3883,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3772,7 +3923,8 @@ "source.packets": 1, "source.port": 16569, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3837,7 +3989,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.186.194.41", @@ -3874,7 +4029,8 @@ "source.packets": 24, "source.port": 52479, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3935,7 +4091,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.201.124.9", @@ -3972,7 +4131,8 @@ "source.packets": 63, "source.port": 52478, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4037,7 +4197,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "100.24.131.237", @@ -4074,7 +4237,8 @@ "source.packets": 17, "source.port": 52502, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4136,7 +4300,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.252.247", @@ -4173,7 +4340,8 @@ "source.packets": 8, "source.port": 52458, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4238,7 +4406,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.190.88.148", @@ -4275,7 +4446,8 @@ "source.packets": 15, "source.port": 52484, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4340,7 +4512,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.186.243.83", @@ -4377,7 +4552,8 @@ "source.packets": 15, "source.port": 52482, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4439,7 +4615,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4476,7 +4655,8 @@ "source.packets": 1, "source.port": 33769, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4538,7 +4718,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4575,7 +4758,8 @@ "source.packets": 1, "source.port": 14106, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4640,7 +4824,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "untrust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "100.24.165.74", @@ -4677,7 +4864,8 @@ "source.packets": 17, "source.port": 52503, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4739,7 +4927,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "xtrust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.252.247", @@ -4776,7 +4967,8 @@ "source.packets": 8, "source.port": 52459, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4837,7 +5029,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.201.94.140", @@ -4874,7 +5069,8 @@ "source.packets": 15, "source.port": 52483, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4934,7 +5130,10 @@ "observer.egress.interface.name": "ethernet1/1", "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4969,7 +5168,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5031,7 +5231,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5068,7 +5271,8 @@ "source.packets": 1, "source.port": 38663, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5130,7 +5334,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5167,7 +5374,8 @@ "source.packets": 1, "source.port": 50443, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5229,7 +5437,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5266,7 +5477,8 @@ "source.packets": 1, "source.port": 54215, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5328,7 +5540,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5365,7 +5580,8 @@ "source.packets": 1, "source.port": 35827, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5427,7 +5643,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5464,7 +5683,8 @@ "source.packets": 1, "source.port": 60609, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5526,7 +5746,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5563,7 +5786,8 @@ "source.packets": 1, "source.port": 3248, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5625,7 +5849,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5662,7 +5889,8 @@ "source.packets": 1, "source.port": 49284, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5724,7 +5952,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5761,7 +5992,8 @@ "source.packets": 1, "source.port": 57732, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5823,7 +6055,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5860,7 +6095,8 @@ "source.packets": 1, "source.port": 49195, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5922,7 +6158,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5959,7 +6198,8 @@ "source.packets": 1, "source.port": 17266, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6021,7 +6261,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6058,7 +6301,8 @@ "source.packets": 1, "source.port": 48631, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6120,7 +6364,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6157,7 +6404,8 @@ "source.packets": 1, "source.port": 58540, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6219,7 +6467,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6256,7 +6507,8 @@ "source.packets": 1, "source.port": 42678, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6321,7 +6573,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "66.28.0.45", @@ -6358,7 +6613,8 @@ "source.packets": 1, "source.port": 16576, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6420,7 +6676,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6457,7 +6716,8 @@ "source.packets": 1, "source.port": 39830, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6519,7 +6779,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6556,7 +6819,8 @@ "source.packets": 1, "source.port": 6185, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6618,7 +6882,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6655,7 +6922,8 @@ "source.packets": 1, "source.port": 8781, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6717,7 +6985,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6754,7 +7025,8 @@ "source.packets": 1, "source.port": 16788, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6816,7 +7088,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6853,7 +7128,8 @@ "source.packets": 1, "source.port": 45307, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6918,7 +7194,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.52.174.25", @@ -6955,7 +7234,8 @@ "source.packets": 6, "source.port": 52520, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7017,7 +7297,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7054,7 +7337,8 @@ "source.packets": 1, "source.port": 8503, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7116,7 +7400,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7153,7 +7440,8 @@ "source.packets": 1, "source.port": 6910, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7218,7 +7506,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.230.5.228", @@ -7255,7 +7546,8 @@ "source.packets": 5, "source.port": 52475, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7317,7 +7609,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7354,7 +7649,8 @@ "source.packets": 1, "source.port": 14342, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7416,7 +7712,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7453,7 +7752,8 @@ "source.packets": 1, "source.port": 48197, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7515,7 +7815,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7552,7 +7855,8 @@ "source.packets": 1, "source.port": 32296, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7614,7 +7918,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "208.83.246.20", @@ -7651,7 +7958,8 @@ "source.packets": 1, "source.port": 33870, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7712,7 +8020,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "drop-icmp", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7749,7 +8060,8 @@ "source.packets": 2, "source.port": 54659, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7810,7 +8122,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-client", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7847,7 +8162,8 @@ "source.packets": 1, "source.port": 57446, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7908,7 +8224,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-server", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7945,7 +8264,8 @@ "source.packets": 1, "source.port": 22655, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8008,7 +8328,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.185.88.112", @@ -8045,7 +8368,8 @@ "source.packets": 13, "source.port": 52509, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8107,7 +8431,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8144,7 +8471,8 @@ "source.packets": 1, "source.port": 27192, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8206,7 +8534,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8243,7 +8574,8 @@ "source.packets": 1, "source.port": 30221, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8305,7 +8637,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8342,7 +8677,8 @@ "source.packets": 1, "source.port": 30570, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8407,7 +8743,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -8444,7 +8783,8 @@ "source.packets": 8, "source.port": 52497, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8509,7 +8849,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -8546,7 +8889,8 @@ "source.packets": 8, "source.port": 52498, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8611,7 +8955,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -8648,7 +8995,8 @@ "source.packets": 8, "source.port": 52496, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8710,7 +9058,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "104.254.150.9", @@ -8747,7 +9098,8 @@ "source.packets": 12, "source.port": 52510, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8812,7 +9164,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -8849,7 +9204,8 @@ "source.packets": 8, "source.port": 52495, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8914,7 +9270,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.0.218.108", @@ -8951,7 +9310,8 @@ "source.packets": 4, "source.port": 52486, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9016,7 +9376,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.6.117.19", @@ -9053,7 +9416,8 @@ "source.packets": 4, "source.port": 52489, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9118,7 +9482,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "34.238.96.22", @@ -9155,7 +9522,8 @@ "source.packets": 4, "source.port": 52490, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9220,7 +9588,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "130.211.47.17", @@ -9257,7 +9628,8 @@ "source.packets": 4, "source.port": 52493, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9319,7 +9691,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9356,7 +9731,8 @@ "source.packets": 1, "source.port": 59320, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9418,7 +9794,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9455,7 +9834,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9517,7 +9897,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9554,7 +9937,8 @@ "source.packets": 1, "source.port": 13076, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9616,7 +10000,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9653,7 +10040,8 @@ "source.packets": 1, "source.port": 5511, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9715,7 +10103,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9752,7 +10143,8 @@ "source.packets": 1, "source.port": 9799, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9814,7 +10206,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9851,7 +10246,8 @@ "source.packets": 1, "source.port": 39169, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9913,7 +10309,10 @@ "observer.hostname": "PA-220", "observer.ingress.interface.name": "ethernet1/2", "observer.ingress.zone": "trust", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9950,7 +10349,8 @@ "source.packets": 1, "source.port": 42476, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] } ] \ No newline at end of file