Greetings! Hope all is well.
I've been testing out the Palo Alto module on Filebeat version 7.2.1 with some of our internal PAN-OS Traffic and Threat syslogs. I believe I found a bug in the Threat schema.
In the Filebeat module, Source Location and Destination Location fields for Threat syslogs are being piped directly into
destination.geo.country_iso_code, which can be seen in beats/x-pack/filebeat/module/panw/panos/config/input.yml on the beats Github repo, lines 133 and 134. According to the PAN-OS documentation however, the Source Location and Destination Location fields for threat logs can also contain "Internal region for private addresses".
This means that in our ES cluster we can see Threat syslog events from the panw module where
source/destination.country_iso_code is set to a private IP range, such as
192.168.0.0-192.168.255.255. This impacts us negatively because we have to filter out private subnets when creating region maps for our threat syslogs (i.e.
not destination.geo.country_iso_code:"192.168.0.0-192.168.255.255" and not destination.geo.country_iso_code...).
If possible, we'd like for the
country_iso_code field to only be populated with actual country ISO codes, to prevent confusion and for the sake of consistency.