[panw] Map name for more subtypes, fix CSV escaping (#11917)

The HTTP Headers field (`panw.panos.http_headers`) of the incoming data is incorrectly escaped. This will be fixed if necessary before CSV parsing. Map the file name value in the URL/Filename (`panw.panos.misc`) field for the `wildfire` and `wildfire-virus` sub-types.
elastic · Nov 29, 2024 · dc9fe51 · dc9fe51
1 parent 754e816
commit dc9fe51
Show file tree

Hide file tree

Showing 5 changed files with 514 additions and 2 deletions.
diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "4.1.1"
+  changes:
+    - description: Map name for more subtypes, fix CSV escaping
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11917
 - version: "4.1.0"
   changes:
     - description: Parse URL from threat-file event type

diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log
@@ -74,6 +74,9 @@ Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/1
 Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,
 Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,
 Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,
+Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,Some-Header:"eg1.com, eg2.com";,
+Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,Some-Header:"eg1.com, eg2.com"; Another-Header:"eg3.com, eg4.com";,
+Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,Header-As-Last-Field:"eg1.com, eg2.com";
 1,2021/11/16 16:24:30,007051000184334,THREAT,virus,2561,2021/11/16 16:24:30,89.160.20.156,67.43.156.12,81.2.69.193,67.43.156.12,LAn-TO-WAn,,,web-browsing,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/11/16 16:24:30,1450,2,51360,36524,37704,36524,0x502000,tcp,reset-both,"browser",Virus/Linux.example(419149938),medium-risk,medium,server-to-client,7031297127854637094,0x0,United States,China,,,0,,,1,,,,,,,,0,0,0,0,0,,PA-VM,,,,,0,,0,,N/A,elf,Antivirus-3901-4412,0x0,0,4294967295,,,5aa3aaa9-610a-433a-8aaa-729378021aaa,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2021-11-16T16:24:30.762-08:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no
 1,2021/11/16 16:24:05,007051000184334,THREAT,virus,2561,2021/11/16 16:24:05,89.160.20.156,67.43.156.12,81.2.69.193,67.43.156.12,LAn-TO-WAn,,,web-browsing,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/11/16 16:24:05,1451,1,51361,36524,24986,36524,0x502000,tcp,reset-both,"browser",Virus/Linux.example(419149938),medium-risk,medium,server-to-client,7031297127854637092,0x0,United States,China,,,0,,,1,,,,,,,,0,0,0,0,0,,PA-VM,,,,,0,,0,,N/A,elf,Antivirus-3901-4412,0x0,0,4294967295,,,5aa3aaa9-610a-433a-8aaa-729378021aaa,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2021-11-16T16:24:05.837-08:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no
 1,2021/11/16 16:23:55,007051000184334,THREAT,spyware,2561,2021/11/16 16:23:55,89.160.20.156,67.43.156.13,81.2.69.193,67.43.156.13,LAn-TO-WAn,,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/11/16 16:23:55,1448,1,59738,53,4993,53,0x403000,udp,drop,"www.virussign.com",generic:www.virussign.com(327891564),any,medium,client-to-server,7031297127854637090,0x0,United States,United States,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-VM,,,,,0,,0,,N/A,dns-malware,AppThreat-0-0,0x0,0,4294967295,,,5aa3aaa9-610a-433a-8aaa-729378021aaa,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2021-11-16T16:23:55.782-08:00,,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",,dns,no,no