Fix quotes problem in reason message

SEKOIA-IO · Dec 6, 2024 · d6c0b58 · d6c0b58
1 parent 4e5cd68
commit d6c0b58
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 1 deletion.
diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
@@ -626,7 +626,7 @@ pipeline:
           AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}"
           REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}'
           REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}"
-          REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}"
+          REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?"
           REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}"
           REASON5: 'authenticated for user %{WORD:user}\.   auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.'
     filter: '{{parsed_event.message.get("EventDescription") != None}}'

diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    },
+    "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00"
+  },
+  "expected": {
+    "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "system",
+      "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-11-26T21:10:01.627000Z",
+    "action": {
+      "name": "auth-success",
+      "type": "auth"
+    },
+    "destination": {
+      "address": "1.7.4.2",
+      "ip": "1.7.4.2"
+    },
+    "log": {
+      "hostname": "FWPAN00",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "FWPAN00",
+      "product": "PAN-OS",
+      "serial_number": "02410100000000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "auth-success",
+      "Threat_ContentType": "auth",
+      "authetification": {
+        "profile": "FWPA"
+      },
+      "server": {
+        "profile": "RADIUS_RSA"
+      },
+      "vsys": "shared"
+    },
+    "related": {
+      "ip": [
+        "1.2.5.5",
+        "1.7.4.2"
+      ],
+      "user": [
+        "test000555"
+      ]
+    },
+    "source": {
+      "address": "1.2.5.5",
+      "ip": "1.2.5.5"
+    },
+    "user": {
+      "name": "test000555"
+    }
+  }
+}