Skip to content

[panw] Generate processor tags and normalize error handler #15565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[panw] Generate processor tags and normalize error handler #15565

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3b1acce
[panw] Generate processor tags and normalize error handler
taylor-swanson Oct 6, 2025
0aea36b
changelog
taylor-swanson Oct 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/panw/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "5.3.5"
changes:
- description: Generate processor tags and normalize error handler.
type: enhancement
link: https://github.com/elastic/integrations/pull/15565
- version: "5.3.4"
changes:
- description: Fix broken link on the Palo Alto Network Integration page.
Expand Down
17 changes: 11 additions & 6 deletions packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,27 +11,33 @@ processors:
- user.name
- panw.panos.cmd
- event.outcome
tag: csv_4cf41818
- uppercase:
field: panw.panos.type
ignore_missing: true
# Set event.kind & event.category field.
tag: uppercase_ec638369
# Set event.kind & event.category field.
- set:
field: event.kind
value: event
tag: set_de80643c
- append:
field: event.category
value:
- configuration
tag: append_c8ab9fa2

# Set custom fields to ECS fields
# Set custom fields to ECS fields
- set:
field: observer.hostname
copy_from: panw.panos.device_name
ignore_failure: true
tag: set_5bc96c94
- set:
field: source.ip
copy_from: panw.panos.source.ip
ignore_failure: true
tag: set_c1b0f423

on_failure:
- set:
Expand All @@ -40,7 +46,6 @@ on_failure:
- append:
field: error.message
value: >-
error in Audit pipeline:
error in [{{{_ingest.on_failure_processor_type}}}] processor{{{#_ingest.on_failure_processor_tag}}}
with tag [{{{_ingest.on_failure_processor_tag}}}]{{{/_ingest.on_failure_processor_tag}}}
{{{_ingest.on_failure_message}}}
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{/_ingest.on_failure_processor_tag}}failed with message '{{{ _ingest.on_failure_message }}}'
24 changes: 17 additions & 7 deletions packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/authentication.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,63 +45,73 @@ processors:
- _temp_.future_use3
- _temp_.user_agent
- panw.panos.flow_id
tag: csv_4c28b73f

- append:
field: source.user.name
value: '{{{_temp_.user}}}'
if: ctx._temp_?.user != null && ctx._temp_.user != ''
allow_duplicates: false
ignore_failure: true
tag: append_61f77e09
- append:
field: source.user.name
value: '{{{panw.panos.normalize_user}}}'
if: ctx.panw?.panos?.normalize_user != null && ctx.panw.panos.normalize_user != ''
allow_duplicates: false
ignore_failure: true
tag: append_7cf5bcf3

# Set event.kind & event.category field.
# Set event.kind & event.category field.
- set:
field: event.kind
value: event
tag: set_de80643c
- append:
field: event.category
value:
- authentication
tag: append_c182a53a

# Set event.outcome
# Set event.outcome
- set:
field: event.outcome
value: success
tag: set_1af271cd

# Set custom fields to ECS fields
# Set custom fields to ECS fields
- set:
field: observer.hostname
copy_from: panw.panos.device_name
ignore_failure: true
tag: set_5bc96c94
- set:
field: rule.uuid
copy_from: panw.panos.rule_uuid
ignore_failure: true
tag: set_5478ecb2
- set:
field: source.ip
copy_from: panw.panos.source.ip
ignore_failure: true
tag: set_c1b0f423
- set:
field: panw.panos.user
copy_from: _temp_.user
ignore_failure: true
tag: set_007bc289
- set:
field: panw.panos.user_agent
copy_from: _temp_.user_agent
ignore_failure: true
tag: set_f4b744c1
on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: error.message
value: >-
error in Authentication pipeline:
error in [{{{_ingest.on_failure_processor_type}}}] processor{{{#_ingest.on_failure_processor_tag}}}
with tag [{{{_ingest.on_failure_processor_tag}}}]{{{/_ingest.on_failure_processor_tag}}}
{{{_ingest.on_failure_message}}}
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{/_ingest.on_failure_processor_tag}}failed with message '{{{ _ingest.on_failure_message }}}'
29 changes: 20 additions & 9 deletions packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,13 @@ processors:
- panw.panos.result
- panw.panos.path
- _temp_.check_field
tag: csv_e2e3e7de
- convert:
field: _temp_.check_field
type: long
ignore_missing: true
ignore_failure: true
tag: convert_5a04d649
- csv:
field: message
trim: true
Expand Down Expand Up @@ -84,56 +86,66 @@ processors:
move: cmd-move
rename: cmd-rename
set: cmd-set
source:
ctx.event.action = params.get(ctx.panw.panos.cmd);
source: ctx.event.action = params.get(ctx.panw.panos.cmd);
tag: script_edc601fd
- set:
field: event.outcome
value: success
ignore_failure: true
if: ctx.panw?.panos?.result == 'Succeeded'
tag: set_a8d719f3
- set:
field: event.outcome
value: failure
ignore_failure: true
if: ctx.panw?.panos?.result == 'Failed'
tag: set_98bc1180
- set:
field: event.outcome
value: unknown
ignore_failure: true
if: '!["Succeeded", "Failed"].contains(ctx.panw.panos.action)'
tag: set_332ce513

# Set event.kind & event.category field.
# Set event.kind & event.category field.
- set:
field: event.kind
value: event
tag: set_de80643c
- append:
field: event.category
value:
- configuration
tag: append_c8ab9fa2

# Set custom fields to ECS fields
# Set custom fields to ECS fields
- set:
field: host.ip
copy_from: panw.panos.host.ip
ignore_failure: true
tag: set_ae377e8b
- set:
field: observer.hostname
copy_from: panw.panos.device_name
ignore_failure: true
tag: set_5bc96c94

# Set event.outcome from panw.panos.result: documented allowed values are Submitted, Succeeded, Failed, and Unauthorized
# Set event.outcome from panw.panos.result: documented allowed values are Submitted, Succeeded, Failed, and Unauthorized
- set:
if: ctx.panw?.panos?.result == "Succeeded"
field: event.outcome
value: success
tag: set_057c7750
- set:
if: ctx.panw?.panos?.result == "Failed"
field: event.outcome
value: failure
tag: set_777b32fd
- set:
if: ctx.event?.outcome == null || ctx.event.outcome == ""
field: event.outcome
value: unknown
tag: set_bcf074fb

on_failure:
- set:
Expand All @@ -142,7 +154,6 @@ on_failure:
- append:
field: error.message
value: >-
error in Config pipeline:
error in [{{{_ingest.on_failure_processor_type}}}] processor{{{#_ingest.on_failure_processor_tag}}}
with tag [{{{_ingest.on_failure_processor_tag}}}]{{{/_ingest.on_failure_processor_tag}}}
{{{_ingest.on_failure_message}}}
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{/_ingest.on_failure_processor_tag}}failed with message '{{{ _ingest.on_failure_message }}}'
20 changes: 13 additions & 7 deletions packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/correlated_event.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,34 +21,41 @@ processors:
- panw.panos.object.name
- panw.panos.object.id
- panw.panos.evidence
tag: csv_9f7a7cd8

# Set event.kind & event.category field.
# Set event.kind & event.category field.
- set:
field: event.kind
value: event
tag: set_de80643c
- append:
field: event.category
value:
- network
tag: append_38e4ac56

# Set event.outcome
# Set event.outcome
- set:
field: event.outcome
value: success
tag: set_1af271cd

# Set custom fields to ECS fields
# Set custom fields to ECS fields
- set:
field: log.level
copy_from: panw.panos.severity
ignore_failure: true
tag: set_ed3c9f74
- set:
field: observer.hostname
copy_from: panw.panos.device_name
ignore_failure: true
tag: set_5bc96c94
- set:
field: source.ip
copy_from: panw.panos.source.ip
ignore_failure: true
tag: set_c1b0f423

on_failure:
- set:
Expand All @@ -57,7 +64,6 @@ on_failure:
- append:
field: error.message
value: >-
error in Correlated Event pipeline:
error in [{{{_ingest.on_failure_processor_type}}}] processor{{{#_ingest.on_failure_processor_tag}}}
with tag [{{{_ingest.on_failure_processor_tag}}}]{{{/_ingest.on_failure_processor_tag}}}
{{{_ingest.on_failure_message}}}
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{/_ingest.on_failure_processor_tag}}failed with message '{{{ _ingest.on_failure_message }}}'
Loading