Merge pull request #451 from splunk/fix/palo-hipmatch

Correct Palo HIPMATCH events
CSVD · May 13, 2020 · 864d531 · 864d531
2 parents 2d3d655 + 4d10194
commit 864d531
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 7 deletions.
diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md
@@ -17,7 +17,7 @@
 | pan:threat     | None                                                                                          |
 | pan:system     | None                                                                                          |
 | pan:config     | None                                                                                          |
-| pan:hipwatch   | None                                                                                          |
+| pan:hipmatch   | None                                                                                          |
 | pan:correlation | None                                                                                          |
 
 ### Sourcetype and Index Configuration
@@ -29,7 +29,7 @@
 | pan_threat    | pan:threat      | netproxy          | none          |
 | pan_system    | pan:system      | netops          | none          |
 | pan_config    | pan:config      | netops          | none          |
-| pan_hipwatch    | pan:hipwatch      | netops          | none          |
+| hipmatch    | pan:hipmatch      | netops          | none          |
 | pan_correlation    | pan:correlation      | netops          | none          |
 
 ### Filter type

diff --git a/package/etc/conf.d/filters/paloalto/panos.conf b/package/etc/conf.d/filters/paloalto/panos.conf
@@ -5,5 +5,5 @@ filter f_is_palalto_format{
 };
 
 filter f_paloalto_panos {
-    message(',[0-9A-F]+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPWATCH|CORRELATION|USERID),');
+    message(',[0-9A-F]+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPMATCH|CORRELATION|USERID),');
 };
diff --git a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl
@@ -90,16 +90,16 @@ log {
         };
         rewrite { r_set_splunk_dest_default(sourcetype("pan:config"), index("netops"))};
         parser {p_add_context_splunk(key("pan_config")); };
-    } elif (match('HIPWATCH', value('.pan.type'))) {    
+    } elif (match('HIPMATCH', value('.pan.type'))) {    
         parser {
             csv-parser(
                 columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_user","vsys","host_name","os","src_ip","hip_name","hip_count","hip_type","future_use3","future_use4","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name")
                 prefix(".pan.")
                 delimiters(',')
             );
         };
-        rewrite { r_set_splunk_dest_default(sourcetype("pan:hipwatch"), index("main"))};
-        parser {p_add_context_splunk(key("pan_hipwatch")); };
+        rewrite { r_set_splunk_dest_default(sourcetype("pan:hipmatch"), index("main"))};
+        parser {p_add_context_splunk(key("pan_hipmatch")); };
     } elif (match('CORRELATION', value('.pan.type'))) {    
         parser {
             csv-parser(

diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
@@ -61,7 +61,7 @@
 #pan_threat,index,netproxy
 #pan_system,index,netops
 #pan_config,index,netops
-#pan_hipwatch,index,main
+#pan_hipmatch,index,main
 #pan_correlation,index,main
 #pan_userid,index,netauth
 #pan_unknown,index,netops

diff --git a/tests/test_palo_alto.py b/tests/test_palo_alto.py
@@ -167,3 +167,36 @@ def test_palo_alto_traffic_mstime(record_property, setup_wordlist, setup_splunk,
     record_property("message", message)
 
     assert resultCount == 1
+
+
+#<14>May 11 10:13:22 xxxxxx 1,2020/05/11 10:13:22,015451000001111,HIPMATCH,0,2049,2020/05/11 10:13:22,xx.xx,vsys1,xx-xxxxx-MB,Mac,10.252.31.187,GP-HIP,1,profile,0,0,1052623,0x0,17,11,12,0,,xxxxx,1,0.0.0.0,
+def test_palo_alto_hipmatch(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist),
+                          random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = dt.strftime("%Y/%m/%d %H:%M:%S.%f")[:-3]
+    tzoffset = tzoffset[0:3] + ":" + tzoffset[3:]
+    epoch = epoch[:-3]
+
+    mt = env.from_string(
+        "{{ mark }} {{ bsd }} {{ host }} 1,{{ time }},015451000001111,HIPMATCH,0,2049,{{ time }},xxxx.xxx,vsys1,xx-xxxxxx-MB,Mac,10.252.31.187,GP-HIP,1,profile,0,0,1052623,0x0,17,11,12,0,,{{ host }},1,0.0.0.0,\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, time=time)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        "search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"pan:hipmatch\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+