File: //usr/share/filebeat/module/panw/panos/ingest/hipmatch.yml
---
description: Pipeline for PanOS HIP Match Logs
processors:
- grok:
field: _temp_.srcuser
ignore_missing: true
ignore_failure: true
patterns:
- '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
- '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
- '%{USERNAME:source.user.name}'
if: ctx?._temp_?.srcuser != null
- set:
field: source.ip
value: "{{_temp_.source_ipv6}}"
if: ctx?._temp_?.source_ipv6 != null && ctx?._temp_?.source_ipv6 != "" && ctx?._temp_?.source_ipv6 != "0.0.0.0"
- set:
field: network.type
value: 'ipv4'
if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")'
- set:
field: network.type
value: 'ipv6'
if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")'
on_failure:
- append:
field: error.message
value: >-
error in HIP Match pipeline:
error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
{{ _ingest.on_failure_message }}