Closed punisherVX closed 5 years ago
If the Threat ID is always 12000000, then it is completely doable. The way it works currently is it looks for the File Name AND the domain name within that filed. But, if it only has the domain name, we will have to key off of the threat id. But, with what you said, we should be able to do it.
From @aobszyns: "Threat/Content Name" value is always "Suspicious Domain(12000000)" and "URL/Filename" contains domain name then in form like on example here: "Suspicious DNS Query (ml314.com)"
From elasticsearch it is parsed today as below. File Name is not forwarded as for today.
"domain_name": "Domain", "threat_id": "Suspicious Domain(12000000)", "threat_name": "Suspicious", "sig_num": "12000000",
I have added this to the 3.1l release sprint as a P3. Should be able to integrate this functionality using Logstash to correlate the 12000000 and parse the message correctly. Will update when the feature is being worked on.
This is fixed in commit 84ce23d8f8ebe8b8f47f8d7c97ef750312f970f1 Added new functionality to parse EDL based events and store in elasticsearch with SFN-EDL tag for searching.
Originally submitted by @aobszyns
Will be nice to have additional filtering/parsing possible for EDL based spyware profiles (Custom DNS Signatures Block List) that generates Threat ID == 12000000.
In such case Domain field taken by logstash is always "Domain" and real domian name that hit custom Spyware policy from EDL is inside "File Name" field. Example: File Name: "Suspicious DNS Query (ml314.com)"
What needs to be added then:
gather "File Name" into SFN software. If threat_id == 12000000 parse File_Name into Domain name.
What do you think?
https://github.com/PaloAltoNetworks/safe-networking-sp/issues/90