From d375f276701252d6cf5607b2b785264d73e340a0 Mon Sep 17 00:00:00 2001 From: kevwal1 Date: Tue, 25 Aug 2020 11:15:13 -0400 Subject: [PATCH 1/2] added FIXME note --- install/logstash/threat.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/install/logstash/threat.conf b/install/logstash/threat.conf index 7182f32..b7a30bc 100644 --- a/install/logstash/threat.conf +++ b/install/logstash/threat.conf @@ -76,6 +76,7 @@ filter { else if ([ThreatCategory] =~ "^dns") { # The dns-cloud logging messages are formatted differently than content based # so check to see if we have one of those and parse it. + # FIXME Add DNS-Security support if ([ThreatCategory] =~ "^dns-cloud") { if ([ThreatID] =~ "^109000001" or [ThreatID] =~ "^109001001") { grok { From a8026eb7aa066c4cc18b24b9feb2f69dfbe70613 Mon Sep 17 00:00:00 2001 From: kevwal1 Date: Wed, 26 Aug 2020 09:50:58 -0400 Subject: [PATCH 2/2] Updated SFN Logic to support changes made in dns-security logging --- install/logstash/threat.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/logstash/threat.conf b/install/logstash/threat.conf index b7a30bc..596b95f 100644 --- a/install/logstash/threat.conf +++ b/install/logstash/threat.conf @@ -76,8 +76,8 @@ filter { else if ([ThreatCategory] =~ "^dns") { # The dns-cloud logging messages are formatted differently than content based # so check to see if we have one of those and parse it. - # FIXME Add DNS-Security support - if ([ThreatCategory] =~ "^dns-cloud") { + # Now supports changes added to the DNS Security subscription. + if ([ThreatCategory] =~ "^dns-cloud" or [ThreatCategory] =~ "^dns-security") { if ([ThreatID] =~ "^109000001" or [ThreatID] =~ "^109001001") { grok { # We use the grok regex of DATA (rather than HOSTNAME) because we with Kiev/PANOS9.0 we