Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix PANW bad mapping of client/source and server/dest packets and bytes #18525

Merged
merged 1 commit into from
May 14, 2020

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented May 14, 2020

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes #18522

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes elastic#18522
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels May 14, 2020
@adriansr
Copy link
Contributor Author

Reviewed all the mappings just in case something else was off. Didn't find any other mapping error, but a few fields that can now be mapped to ECS. Can move that to a separate PR if we're not comfortable labeling those as a bug and backporting to a bugfix.

@adriansr adriansr requested review from leehinman and andrewkroh May 14, 2020 15:12
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 1184
Skipped 128
Total 1312

@andrewkroh
Copy link
Member

FYI @willemdh. Please let us know if you see any issues in this change.

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@adriansr adriansr merged commit 463a52a into elastic:master May 14, 2020
adriansr added a commit to adriansr/beats that referenced this pull request May 14, 2020
…es (elastic#18525)

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes elastic#18522

(cherry picked from commit 463a52a)
adriansr added a commit to adriansr/beats that referenced this pull request May 14, 2020
…es (elastic#18525)

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes elastic#18522

(cherry picked from commit 463a52a)
adriansr added a commit to adriansr/beats that referenced this pull request May 14, 2020
…es (elastic#18525)

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes elastic#18522

(cherry picked from commit 463a52a)
@willemdh
Copy link

willemdh commented May 14, 2020

@adriansr @andrewkroh Thanks for fixing this finally. One more issue in the panw module ingest pipeline:

event.end seems to be calculated in the ingest pipeline:

      {
        "script" : {
          "if" : "ctx?.event?.duration != null",
          "params" : {
            "NANOS_IN_A_SECOND" : 1000000000
          },
          "source" : """long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND; ctx['event']['duration'] = nanos; def start = ctx.event?.start; if (start != null) {
   ctx.event['end'] = ZonedDateTime.parse(start).plusNanos(nanos);
}
""",
          "lang" : "painless"
        }
      },

/usr/share/filebeat/module/panw/panos/config/input.yml

        event.start: 35
        event.duration: 36

Can't post live events here, but these are the raw values of one of our logs:

Generated Time (mgmt plane): 2020/05/14 20:22:32
Generated Time (data plane): 2020/05/14 20:22:32
Start Time => 2020/05/14 20:22:11
Duration => 4

In Kibana:

event.start => May 14, 2020 @ 20:22:11.000
event.duration => 4,000,000,000
event.end => May 14, 2020 @ 20:22:15.000

event.end is actually already in the raw data field 2 (mgmt) or 7 (data) (not sure which is best, they seem the same in events I checked), as the panw events are generated at the end of the session.

The calculated event.end (May 14, 2020 @ 20:22:15.000) seems to be different from the actual session event end (2020/05/14 20:22:32)..., resulting in more confusion..

Please verify this and fix this too.

Tx

adriansr added a commit that referenced this pull request May 14, 2020
…es (#18525) (#18531)

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes #18522

(cherry picked from commit 463a52a)
adriansr added a commit that referenced this pull request May 14, 2020
…es (#18525) (#18532)

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes #18522

(cherry picked from commit 463a52a)
v1v added a commit to v1v/beats that referenced this pull request May 15, 2020
…w-oss

* upstream/master: (27 commits)
  Disable host fields for "cloud", panw, cef modules (elastic#18223)
  [docs] Rename monitoring collection from legacy internal collection to legacy collection (elastic#18504)
  Introduce auto detection of format (elastic#18095)
  Add additional fields to address issue elastic#18465 for googlecloud audit log (elastic#18472)
  Fix libbeat import path in seccomp policy template (elastic#18418)
  Address Okta input issue elastic#18530 (elastic#18534)
  [Ingest Manager] Avoid Chown on windows (elastic#18512)
  Fix Cisco ASA/FTD msgs that use a host name as NAT address (elastic#18376)
  [CI] Optimise stash/unstash performance (elastic#18473)
  Libbeat: Remove global loggers from libbeat/metric and libbeat/cloudid (elastic#18500)
  Fix PANW bad mapping of client/source and server/dest packets and bytes (elastic#18525)
  Add a file lock to the data directory on startup to prevent multiple agents. (elastic#18483)
  Followup to 12606 (elastic#18316)
  changed input from syslog to tcp/udp due to unsupported RFC (elastic#18447)
  Improve ECS field mappings in Sysmon module. (elastic#18381)
  [Elastic Agent] Cleaner output of inspect command  (elastic#18405)
  [Elastic Agent] Pick up version from libbeat (elastic#18350)
  Update communitybeats.asciidoc (elastic#18470)
  [Metricbeat] Change visualization interval from 15m to >=15m (elastic#18466)
  docs: Fix typo in kerberos docs (elastic#18503)
  ...
adriansr added a commit that referenced this pull request May 15, 2020
…es (#18525) (#18533)

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes #18522

(cherry picked from commit 463a52a)
@adriansr
Copy link
Contributor Author

@willemdh I'm not sure I follow.

First, ECS recommends that event.start + event.duration == event.end (When both start and end are defined).

So our choices are either calculating event.end (current solution), or ignoring the provided duration.

To me, the generated times (data or mgmt) are not necessarily the same as event.end:

event.end contains the date when the event ended or when the activity was last observed.

Those are more suited to @timestamp:

This is the date/time extracted from the event, typically representing when the event was generated by the source.

Am I missing something? Maybe the PANW fields mean something different than what I understand?

@willemdh
Copy link

@adriansr Well our panw specialist pointed it out, I'll discuss it with him and let you know.

asmith-elastic added a commit that referenced this pull request Aug 30, 2022
Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525
dedemorton added a commit that referenced this pull request Sep 12, 2022
)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. 

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. 

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. 

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
mergify bot pushed a commit that referenced this pull request Sep 12, 2022
)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)
mergify bot pushed a commit that referenced this pull request Sep 12, 2022
)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)
dedemorton pushed a commit that referenced this pull request Sep 13, 2022
) (#33059)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)

Co-authored-by: Austin Smith <76973609+asmith-elastic@users.noreply.github.com>
dedemorton pushed a commit that referenced this pull request Sep 13, 2022
) (#33060)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)

Co-authored-by: Austin Smith <76973609+asmith-elastic@users.noreply.github.com>
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
…es (elastic#18525) (elastic#18533)

PANW pipeline was mapping:

Bytes sent to client/destination bytes.
Bytes received to server/source bytes.
Packets sent to server/destination packets.
Packets received to client/source packets.

All of these mappings are wrong.

The correct is:
Bytes sent to client/source bytes.
Bytes received to server/destination bytes.
Packets sent to client/source packets.
Packets received to server/destination packets.

Also adding some missing ECS mappings in the process.

Fixes elastic#18522

(cherry picked from commit 9bae856)
chrisberkhout pushed a commit that referenced this pull request Jun 1, 2023
)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. 

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. 

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. 

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

PANW module is incorrectly mapping client/source and server/destination bytes and packets
4 participants