panw: allow dollar sign at the end of a user name (#5886)

This allows a use where machine accounts are tagged in Active Directory with a dollar sign[1]. [1]https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oN0iCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Author: efd6

packages/panw/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.7.1"
+ changes:
+ - description: Fix handling of usernames terminated with a dollar sign.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/5886
 - version: "3.7.0"
  changes:
  - description: Enable RFC 6587 framing by default on TCP input.

packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log

@@ -197,4 +197,5 @@ Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/
 1,2021/10/26 14:31:37,,TRAFFIC,end,2561,2021/10/26 14:31:37,81.2.69.144,81.2.69.145,,,intrazone-default,,,syslog,vsys1,LAN,LAN,ethernet1/2,ethernet1/2,LFPpan,2021/10/26 14:31:37,15840,1,43096,30514,0,0,0x10005e,udp,allow,2544,1364,1180,4,2021/10/26 14:31:01,0,any,,7022390495259151733,0x0,United States,United States,,2,2,aged-out,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:37.773-07:00
 1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,192.168.10.111,81.2.69.193,LAn-TO-WAn,,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15845,1,64898,53,60860,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151732,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.773-07:00
 1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,192.168.10.111,81.2.69.193,LAn-TO-WAn,,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15844,1,64624,53,32849,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151731,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00
-1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,0.0.0.0,0.0.0.0,any to Intranet DCs,intranet\\sampleuser,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15844,1,64624,53,32849,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151731,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00
+1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,0.0.0.0,0.0.0.0,any to Intranet DCs,intranet\\sampleuser,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15844,1,64624,53,32849,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151731,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00
+1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,0.0.0.0,0.0.0.0,any to Intranet DCs,intranet\\sampleuser$,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15844,1,64624,53,32849,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151731,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy," ", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00

packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json

@@ -36964,6 +36964,205 @@
  "domain": "intranet",
  "name": "sampleuser"
  }
+ },
+ {
+ "@timestamp": "2021-10-26T14:31:32.000Z",
+ "destination": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "name": "United States",
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.193",
+ "nat": {
+ "ip": "0.0.0.0",
+ "port": 53
+ },
+ "packets": 0,
+ "port": 53
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "action": "flow_started",
+ "category": [
+ "network"
+ ],
+ "created": "2021-10-26T14:31:32.000Z",
+ "duration": 0,
+ "end": "2021-10-26T14:31:31.000Z",
+ "kind": "event",
+ "original": "1,2021/10/26 14:31:32,,TRAFFIC,start,2561,2021/10/26 14:31:32,81.2.69.193,81.2.69.193,0.0.0.0,0.0.0.0,any to Intranet DCs,intranet\\\\sampleuser$,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15844,1,64624,53,32849,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151731,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy,\" \", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00",
+ "outcome": "success",
+ "start": "2021-10-26T14:31:31.000Z",
+ "timezone": "UTC",
+ "type": [
+ "allowed",
+ "start",
+ "connection"
+ ]
+ },
+ "labels": {
+ "nat_translated": true
+ },
+ "message": "81.2.69.193,81.2.69.193,0.0.0.0,0.0.0.0,any to Intranet DCs,intranet\\\\sampleuser$,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/10/26 14:31:32,15844,1,64624,53,32849,53,0x400000,udp,allow,93,93,0,1,2021/10/26 14:31:31,0,any,,7022390495259151731,0x0,169.254.0.0-169.254.255.255,United States,,1,0,n/a,0,0,0,0,,PA-VM,from-policy,\" \", , , , , , , , , , , , , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00",
+ "network": {
+ "application": "dns",
+ "bytes": 93,
+ "community_id": [
+ "1:LaJxrnU+dNDHQ53Fp5twINgnUAI=",
+ "1:KJr4kMrCX4J3CX6oZjAeXy6e7CQ="
+ ],
+ "packets": 1,
+ "transport": "udp",
+ "type": "ipv4"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "name": "ethernet1/1"
+ },
+ "zone": "WAN"
+ },
+ "hostname": "PA-VM",
+ "ingress": {
+ "interface": {
+ "name": "ethernet1/2"
+ },
+ "zone": "LAN"
+ },
+ "product": "PAN-OS",
+ "type": "firewall",
+ "vendor": "Palo Alto Networks"
+ },
+ "panw": {
+ "panos": {
+ "action": "allow",
+ "action_flags": "0x0",
+ "action_source": "from-policy",
+ "bytes_received": 0,
+ "bytes_sent": 93,
+ "destination": {
+ "ip": "81.2.69.193",
+ "location": "United States",
+ "nat": {
+ "ip": "0.0.0.0",
+ "port": 53
+ },
+ "port": 53,
+ "zone": "WAN"
+ },
+ "device_group_hierarchy1": "0",
+ "device_group_hierarchy2": "0",
+ "device_group_hierarchy3": "0",
+ "device_group_hierarchy4": "0",
+ "device_name": "PA-VM",
+ "elapsed_time": 0,
+ "endreason": "n/a",
+ "flow_id": "15844",
+ "generated_time": "2021-10-26T14:31:32.000Z",
+ "inbound_interface": "ethernet1/2",
+ "log_profile": "LFPpan",
+ "network": {
+ "application": "dns",
+ "bytes": 93,
+ "nat": {
+ "community_id": "1:KJr4kMrCX4J3CX6oZjAeXy6e7CQ="
+ },
+ "packets": 1
+ },
+ "outbound_interface": "ethernet1/1",
+ "packets_received": 0,
+ "packets_sent": 1,
+ "protocol": "udp",
+ "received_time": "2021-10-26T14:31:32.000Z",
+ "repeat_count": 1,
+ "ruleset": "any to Intranet DCs",
+ "sequence_number": "7022390495259151731",
+ "source": {
+ "ip": "81.2.69.193",
+ "location": "169.254.0.0-169.254.255.255",
+ "nat": {
+ "ip": "0.0.0.0",
+ "port": 32849
+ },
+ "port": 64624,
+ "user": "sampleuser$",
+ "zone": "LAN"
+ },
+ "source_vm_uuid": " ",
+ "src": {
+ "profile": " , , , , , , , ,,,,2021-10-26T14:31:32.772-07:00"
+ },
+ "start_time": "2021-10-26T14:31:31.000Z",
+ "sub_type": "start",
+ "type": "TRAFFIC",
+ "url": {
+ "category": "any"
+ },
+ "virtual_sys": "vsys1"
+ }
+ },
+ "related": {
+ "hosts": [
+ "PA-VM"
+ ],
+ "ip": [
+ "81.2.69.193",
+ "0.0.0.0"
+ ],
+ "user": [
+ "sampleuser$"
+ ]
+ },
+ "rule": {
+ "name": "any to Intranet DCs"
+ },
+ "source": {
+ "bytes": 93,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "name": "169.254.0.0-169.254.255.255",
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.193",
+ "nat": {
+ "ip": "0.0.0.0",
+ "port": 32849
+ },
+ "packets": 1,
+ "port": 64624,
+ "user": {
+ "domain": "intranet",
+ "name": "sampleuser$"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "intranet",
+ "name": "sampleuser$"
+ }
  }
  ]
 }

packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml

@@ -104,20 +104,24 @@ processors:
  field: _temp_.srcuser
  ignore_missing: true
  patterns:
- - '^%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}$'
- - '^%{HOSTNAME:source.user.domain}\\\\%{USERNAME:source.user.name}$'
+ - '^%{HOSTNAME:source.user.domain}\\%{USERNAMEM:source.user.name}$'
+ - '^%{HOSTNAME:source.user.domain}\\\\%{USERNAMEM:source.user.name}$'
  - '^%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}$'
  - '^%{USERNAME:source.user.name}$'
+ pattern_definitions:
+ USERNAMEM: '%{USERNAME}[$]?'
  if: ctx._temp_?.srcuser != null
 
  - grok:
  field: _temp_.dstuser
  ignore_missing: true
  patterns:
- - '^%{HOSTNAME:destination.user.domain}\\%{USERNAME:destination.user.name}$'
- - '^%{HOSTNAME:destination.user.domain}\\\\%{USERNAME:destination.user.name}$'
+ - '^%{HOSTNAME:destination.user.domain}\\%{USERNAMEM:destination.user.name}$'
+ - '^%{HOSTNAME:destination.user.domain}\\\\%{USERNAMEM:destination.user.name}$'
  - '^%{USERNAME:destination.user.name}@%{HOSTNAME:destination.user.domain}$'
  - '^%{USERNAME:destination.user.name}$'
+ pattern_definitions:
+ USERNAMEM: '%{USERNAME}[$]?'
  if: ctx._temp_?.dstuser != null
 
  - set:

packages/panw/manifest.yml

@@ -1,6 +1,6 @@
 name: panw
 title: Palo Alto Next-Gen Firewall
-version: "3.7.0"
+version: "3.7.1"
 release: ga
 description: Collect logs from Palo Alto next-gen firewalls with Elastic Agent.
 type: integration