search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
30 stars 447 forks source link

[panw]: add other registered_doman, subdomain and top level domain when destination.domain is present #11830

Open willemri opened 13 hours ago

willemri commented 13 hours ago

Integration Name

Palo Alto Next-Gen Firewall [panw]

Dataset Name

panw.*

Integration Version

4.1.0

Agent Version

4.1.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.14.3

OS Version and Architecture

RedHat 9

Software/API Version

No response

Error Message

it would be nice that when an url.domain, or destination.domain is present, that these field are also parsed. We can then avoid making wildcard searches.

destination.registered_domain destination.subdomain destination.top_level_domain

Event Original

<14>Nov 22 11:44:08 AC-PA5250 1,2024/11/22 11:44:07,013101001308,THREAT,url,2561,2024/11/22 11:44:07,11.24.156.36,64.233.167.104,2.1.16.120,64.233.167.104,MyRuleName,localdomain\localuser,,google-base,vsys1,IngressZone,EgressZone,ae1.490,ae2.498,Panorama-Elastic,2024/11/22 11:44:07,33713037,1,52889,443,5800,443,0x40b400,tcp,alert,"www.google.com/",(9999),search-engines,informational,client-to-server,7406333526311476911,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," CAC,search-engines,low-risk",c6fc2c02-fa8b-4d78-82cf-d50a8a7b30d6,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-11-22T11:44:07.984+01:00,,,,EgressZone-utility,general-EgressZone,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,google-base,no,no,_reportid ### What did you do? search in data ### What did you see? only destination.domain ### What did you expect to see? url: www.google.com destination.registered_domain: google.com destination.subdomain: www destination.top_level_domain: com ### Anything else? _No response_
elasticmachine commented 13 hours ago

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

mjwolf commented 3 hours ago

When working on this, keep in mind that TLD may contain multiple dots, eg. .co.uk, it won't be as simple as splitting the strings on ..