File: //usr/share/filebeat/module/juniper/srx/ingest/atp.yml
description: Pipeline for parsing junipersrx firewall logs (atp pipeline)
processors:
#######################
## ECS Event Mapping ##
#######################
- set:
field: event.kind
value: event
- set:
field: event.outcome
value: success
if: "ctx.juniper?.srx?.tag != null"
- append:
field: event.category
value: network
- set:
field: event.kind
value: alert
if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"'
- append:
field: event.category
value: malware
if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"'
- append:
field: event.type
value:
- info
- denied
- connection
if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'"
- append:
field: event.type
value:
- allowed
- connection
if: "ctx.juniper?.srx?.action != 'BLOCK' && ctx.juniper?.srx?.tag != 'AAMW_MALWARE_EVENT_LOG'"
- set:
field: event.action
value: malware_detected
if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'"
####################################
## ECS Server/Destination Mapping ##
####################################
- rename:
field: juniper.srx.destination_address
target_field: destination.ip
ignore_missing: true
if: "ctx.juniper?.srx?.destination_address != null"
- set:
field: server.ip
value: '{{destination.ip}}'
if: "ctx.destination?.ip != null"
- rename:
field: juniper.srx.nat_destination_address
target_field: destination.nat.ip
ignore_missing: true
if: "ctx.juniper?.srx?.nat_destination_address != null"
- convert:
field: juniper.srx.destination_port
target_field: destination.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.destination_port != null"
- set:
field: server.port
value: '{{destination.port}}'
if: "ctx.destination?.port != null"
- convert:
field: server.port
target_field: server.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.server?.port != null"
- convert:
field: juniper.srx.nat_destination_port
target_field: destination.nat.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.nat_destination_port != null"
- set:
field: server.nat.port
value: '{{destination.nat.port}}'
if: "ctx.destination?.nat?.port != null"
- convert:
field: server.nat.port
target_field: server.nat.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.server?.nat?.port != null"
- convert:
field: juniper.srx.bytes_from_server
target_field: destination.bytes
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.bytes_from_server != null"
- set:
field: server.bytes
value: '{{destination.bytes}}'
if: "ctx.destination?.bytes != null"
- convert:
field: server.bytes
target_field: server.bytes
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.server?.bytes != null"
- convert:
field: juniper.srx.packets_from_server
target_field: destination.packets
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.packets_from_server != null"
- set:
field: server.packets
value: '{{destination.packets}}'
if: "ctx.destination?.packets != null"
- convert:
field: server.packets
target_field: server.packets
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.server?.packets != null"
###############################
## ECS Client/Source Mapping ##
###############################
- rename:
field: juniper.srx.source_address
target_field: source.ip
ignore_missing: true
if: "ctx.juniper?.srx?.source_address != null"
- set:
field: client.ip
value: '{{source.ip}}'
if: "ctx.source?.ip != null"
- rename:
field: juniper.srx.nat_source_address
target_field: source.nat.ip
ignore_missing: true
if: "ctx.juniper?.srx?.nat_source_address != null"
- rename:
field: juniper.srx.sourceip
target_field: source.ip
ignore_missing: true
if: "ctx.juniper?.srx?.sourceip != null"
- convert:
field: juniper.srx.source_port
target_field: source.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.source_port != null"
- set:
field: client.port
value: '{{source.port}}'
if: "ctx.source?.port != null"
- convert:
field: client.port
target_field: client.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.client?.port != null"
- convert:
field: juniper.srx.nat_source_port
target_field: source.nat.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.nat_source_port != null"
- set:
field: client.nat.port
value: '{{source.nat.port}}'
if: "ctx.source?.nat?.port != null"
- convert:
field: client.nat.port
target_field: client.nat.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.client?.nat?.port != null"
- convert:
field: juniper.srx.bytes_from_client
target_field: source.bytes
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.bytes_from_client != null"
- set:
field: client.bytes
value: '{{source.bytes}}'
if: "ctx.source?.bytes != null"
- convert:
field: client.bytes
target_field: client.bytes
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.client?.bytes != null"
- convert:
field: juniper.srx.packets_from_client
target_field: source.packets
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.packets_from_client != null"
- set:
field: client.packets
value: '{{source.packets}}'
if: "ctx.source?.packets != null"
- convert:
field: client.packets
target_field: client.packets
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.client?.packets != null"
- rename:
field: juniper.srx.username
target_field: source.user.name
ignore_missing: true
if: "ctx.juniper?.srx?.username != null"
- rename:
field: juniper.srx.hostname
target_field: source.domain
ignore_missing: true
if: "ctx.juniper?.srx?.hostname != null"
- rename:
field: juniper.srx.client_ip
target_field: source.ip
ignore_missing: true
if: "ctx.juniper?.srx?.client_ip != null"
######################
## ECS URL Mapping ##
######################
- rename:
field: juniper.srx.http_host
target_field: url.domain
ignore_missing: true
if: "ctx.juniper?.srx?.http_host != null"
#############################
## ECS Network/Geo Mapping ##
#############################
- rename:
field: juniper.srx.protocol_id
target_field: network.iana_number
ignore_missing: true
if: "ctx.juniper?.srx?.protocol_id != null"
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
if: "ctx.source?.geo == null"
- geoip:
field: destination.ip
target_field: destination.geo
ignore_missing: true
if: "ctx.destination?.geo == null"
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
field: source.nat.ip
target_field: source.geo
ignore_missing: true
if: "ctx.source?.geo == null"
- geoip:
field: destination.nat.ip
target_field: destination.geo
ignore_missing: true
if: "ctx.destination?.geo == null"
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.nat.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
if: "ctx.source?.as == null"
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.nat.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
if: "ctx.destination?.as == null"
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- rename:
field: destination.as.asn
target_field: destination.as.number
ignore_missing: true
- rename:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true
###############
## Timestamp ##
###############
- date:
if: 'ctx.juniper.srx?.timestamp != null'
field: juniper.srx.timestamp
target_field: juniper.srx.timestamp
formats:
- 'EEE MMM dd HH:mm:ss yyyy'
- 'EEE MMM d HH:mm:ss yyyy'
on_failure:
- remove:
field:
- juniper.srx.timestamp
#############
## Cleanup ##
#############
- remove:
field:
- juniper.srx.destination_port
- juniper.srx.nat_destination_port
- juniper.srx.bytes_from_client
- juniper.srx.packets_from_client
- juniper.srx.source_port
- juniper.srx.nat_source_port
- juniper.srx.bytes_from_server
- juniper.srx.packets_from_server
ignore_missing: true
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'