From 3375ab1744dc48d8252550ced169e23aeab9c899 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Mon, 11 May 2020 12:37:17 -0400 Subject: [PATCH] Correct Palo HIPMATCH events --- docs/sources/PaloaltoNetworks/index.md | 4 +-- .../etc/conf.d/filters/paloalto/panos.conf | 2 +- .../log_paths/lp-paloalto_panos.conf.tmpl | 6 ++-- .../splunk_index.csv.example | 2 +- tests/test_palo_alto.py | 33 +++++++++++++++++++ 5 files changed, 40 insertions(+), 7 deletions(-) diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md index bc27602..2fae016 100644 --- a/docs/sources/PaloaltoNetworks/index.md +++ b/docs/sources/PaloaltoNetworks/index.md @@ -17,7 +17,7 @@ | pan:threat | None | | pan:system | None | | pan:config | None | -| pan:hipwatch | None | +| pan:hipmatch | None | | pan:correlation | None | ### Sourcetype and Index Configuration @@ -29,7 +29,7 @@ | pan_threat | pan:threat | netproxy | none | | pan_system | pan:system | netops | none | | pan_config | pan:config | netops | none | -| pan_hipwatch | pan:hipwatch | netops | none | +| hipmatch | pan:hipmatch | netops | none | | pan_correlation | pan:correlation | netops | none | ### Filter type diff --git a/package/etc/conf.d/filters/paloalto/panos.conf b/package/etc/conf.d/filters/paloalto/panos.conf index 9c5109b..efe8304 100644 --- a/package/etc/conf.d/filters/paloalto/panos.conf +++ b/package/etc/conf.d/filters/paloalto/panos.conf @@ -5,5 +5,5 @@ filter f_is_palalto_format{ }; filter f_paloalto_panos { - message(',[0-9A-F]+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPWATCH|CORRELATION|USERID),'); + message(',[0-9A-F]+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPMATCH|CORRELATION|USERID),'); }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl index d5d7774..f07df1c 100644 --- a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl @@ -90,7 +90,7 @@ log { }; rewrite { r_set_splunk_dest_default(sourcetype("pan:config"), index("netops"))}; parser {p_add_context_splunk(key("pan_config")); }; - } elif (match('HIPWATCH', value('.pan.type'))) { + } elif (match('HIPMATCH', value('.pan.type'))) { parser { csv-parser( columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_user","vsys","host_name","os","src_ip","hip_name","hip_count","hip_type","future_use3","future_use4","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name") @@ -98,8 +98,8 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:hipwatch"), index("main"))}; - parser {p_add_context_splunk(key("pan_hipwatch")); }; + rewrite { r_set_splunk_dest_default(sourcetype("pan:hipmatch"), index("main"))}; + parser {p_add_context_splunk(key("pan_hipmatch")); }; } elif (match('CORRELATION', value('.pan.type'))) { parser { csv-parser( diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index b52f7ea..f447021 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -61,7 +61,7 @@ #pan_threat,index,netproxy #pan_system,index,netops #pan_config,index,netops -#pan_hipwatch,index,main +#pan_hipmatch,index,main #pan_correlation,index,main #pan_userid,index,netauth #pan_unknown,index,netops diff --git a/tests/test_palo_alto.py b/tests/test_palo_alto.py index 25dbecc..9633b32 100644 --- a/tests/test_palo_alto.py +++ b/tests/test_palo_alto.py @@ -167,3 +167,36 @@ def test_palo_alto_traffic_mstime(record_property, setup_wordlist, setup_splunk, record_property("message", message) assert resultCount == 1 + + +#<14>May 11 10:13:22 xxxxxx 1,2020/05/11 10:13:22,015451000001111,HIPMATCH,0,2049,2020/05/11 10:13:22,xx.xx,vsys1,xx-xxxxx-MB,Mac,10.252.31.187,GP-HIP,1,profile,0,0,1052623,0x0,17,11,12,0,,xxxxx,1,0.0.0.0, +def test_palo_alto_hipmatch(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), + random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + time = dt.strftime("%Y/%m/%d %H:%M:%S.%f")[:-3] + tzoffset = tzoffset[0:3] + ":" + tzoffset[3:] + epoch = epoch[:-3] + + mt = env.from_string( + "{{ mark }} {{ bsd }} {{ host }} 1,{{ time }},015451000001111,HIPMATCH,0,2049,{{ time }},xxxx.xxx,vsys1,xx-xxxxxx-MB,Mac,10.252.31.187,GP-HIP,1,profile,0,0,1052623,0x0,17,11,12,0,,{{ host }},1,0.0.0.0,\n") + message = mt.render(mark="<111>", bsd=bsd, host=host, time=time) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + "search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"pan:hipmatch\"") + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 +