[prisma_access] Handle Malformed URL and Parsing Issue (elastic#15005)

prisma_cloud: Handle malformed URL in CEF string and parsing issue in pipeline processors.

Add `*.client.to_firewall_str` and `*.firewall_to_client_str` fields to capture original string values when 
boolean conversion fails in PanOSFirewallToClient and PanOSClientToFirewall fields.
Add support for UNIX timestamp format in `*.time.not_after` and `*.time.not_before` fields.
Handle malformed URL in CEF string.
.

Author: mohitjha-elastic

packages/prisma_access/_dev/deploy/docker/sample_logs/prisma_access.log

@@ -1,4 +1,13 @@
 # newer versions go on top
+- version: "1.6.1"
+  changes:
+    - description: |
+        Add `*.client.to_firewall_str` and `*.firewall_to_client_str` fields to capture original string values when
+        boolean conversion fails in PanOSFirewallToClient and PanOSClientToFirewall fields.
+        Add support for UNIX timestamp format in `*.time.not_after` and `*.time.not_before` fields.
+        Handle malformed URL in CEF string.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15005
 - version: "1.6.0"
   changes:
     - description: Remove duplicated installation instructions from the documentation

packages/prisma_access/changelog.yml

@@ -2401,6 +2401,139 @@
                 "id": "87f9bf9f-fdd4-45bb-9ca9-430522636747",
                 "name": "co8"
             }
+        },
+        {
+            "@timestamp": "2024-07-23T08:40:42.542Z",
+            "ecs": {
+                "version": "8.0.0"
+            },
+            "log": {
+                "source": {
+                    "address": "127.0.0.1:38456"
+                }
+            },
+            "input": {
+                "type": "tcp"
+            },
+            "event": {
+                "original": "Mar 1 24:35:56 175.16.199.1 2341 <14>1 2021-03-01T20:35:56.343Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=12.0 start=Mar 01 2021 20:35:54 src=175.16.199.3 dst=175.16.199.4 sourceTranslatedAddress=127.0.0.1 destinationTranslatedAddress=89.160.20.112 cs1=allow-all-employees cs1Label=Rule suser=paloaltonetwork\\\\\\\\xxxxx duser=paloaltonetwork\\\\\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48 cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122 sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp act=deny PanOSTunnel=N/A PanOSSourceUUID=00112233-4455-6677-8899-aabbccddeeff PanOSDestinationUUID=00112233-4455-xxxx-8899-aabbccddeeff PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e PanOSClientToFirewall=Finished PanOSFirewallToClient=Finished PanOSTLSVersion=0.0 PanOSTLSKeyExchange=algo1 PanOSTLSEncryptionAlgorithm=alg2 PanOSTLSAuth=auth2 PanOSPolicyName=policy1 PanOSSanctionedStateofApp=true PanOSEllipticCurve=secp256r1 PanOSErrorIndex=1 PanOSRootStatus=close PanOSChainStatus=close PanOSProxyType=proxy1 PanOSCertificateSerial=0123456789ABCDEF0123456789ABCDEF PanOSFingerprint=D0:3A:9E:36:54:EC:91:6E:76:7F:A2:8C:BF:16:2E:82:65:32:AB:2B PanOSTimeNotBefore=Feb 20 2021 18:20:41 PanOSTimeNotAfter=Feb 28 2021 18:20:41 PanOSCertificateVersion=0.0 PanOSCertificateSize=0 PanOSCommonNameLength=0 PanOSIssuerNameLength=0 PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0 PanOSCommonName=cname1 PanOSIssuerCommonName=issuercn1 PanOSRootCommonName=rootuser PanOSServerNameIndication=indc PanOSErrorMessage=fault PanOSContainerID=12xc34r PanOSContainerNameSpace=default PanOSContainerName=web-server-container PanOSSourceEDL=https://example.com/sedl.txt PanOSDestinationEDL=https://sample.com/dedl.txt PanOSSourceDynamicAddressGroup=tag1 PanOSDestinationDynamicAddressGroup=test PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSSourceDeviceCategory=cat1 PanOSSourceDeviceProfile=prof1 PanOSSourceDeviceModel=model1 PanOSSourceDeviceVendor=panw PanOSSourceDeviceOSFamily=Windows PanOSSourceDeviceOSVersion=8.0 PanOSSourceDeviceHost=web-server-01.example.com PanOSSourceDeviceMac=839147449905 PanOSDestinationDeviceCategory=dcat1 PanOSDestinationDeviceProfile=dprof PanOSDestinationDeviceModel=dmod PanOSDestinationDeviceVendor=cortex PanOSDestinationDeviceOSFamily=Linux PanOSDestinationDeviceOSVersion=11.4 PanOSDestinationDeviceHost=web-server-02.example.com PanOSDestinationDeviceMac=150083646537 externalId=xxxxxxxxxxxxx"
+            },
+            "cef": {
+                "version": "0",
+                "device": {
+                    "event_class_id": "DECRYPTION",
+                    "vendor": "Palo Alto Networks",
+                    "product": "LF",
+                    "version": "2.0"
+                },
+                "name": "end",
+                "severity": "3",
+                "extensions": {
+                    "sourceTranslatedAddress": "127.0.0.1",
+                    "sourceTranslatedPort": 15856,
+                    "PanOSCertificateSize": "0",
+                    "PanOSErrorIndex": "1",
+                    "deviceCustomString6": "test",
+                    "PanOSTLSAuth": "auth2",
+                    "PanOSDestinationDeviceOSVersion": "11.4",
+                    "deviceCustomString6Label": "LogSetting",
+                    "deviceCustomString3Label": "VirtualLocation",
+                    "PanOSSourceDeviceOSFamily": "Windows",
+                    "deviceCustomNumber1": 106112,
+                    "PanOSRuleUUID": "fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e",
+                    "PanOSSourceUUID": "00112233-4455-6677-8899-aabbccddeeff",
+                    "PanOSCertificateFlags": "0",
+                    "PanOSSNILength": "0",
+                    "destinationUserName": "panw\\\\decuser",
+                    "PanOSTLSEncryptionAlgorithm": "alg2",
+                    "PanOSSourceDeviceVendor": "panw",
+                    "PanOSContainerNameSpace": "default",
+                    "PanOSCertificateVersion": "0.0",
+                    "PanOSSourceDeviceOSVersion": "8.0",
+                    "deviceAction": "deny",
+                    "deviceCustomString1Label": "Rule",
+                    "sourceUserName": "pan-w\\\\suser",
+                    "PanOSServerNameIndication": "indc",
+                    "PanOSErrorMessage": "fault",
+                    "deviceInboundInterface": "ethernet1/1",
+                    "PanOSConfigVersion": "12.0",
+                    "deviceCustomString5Label": "ToZone",
+                    "PanOSSourceDeviceMac": "839147449905",
+                    "PanOSSourceDynamicAddressGroup": "tag1",
+                    "deviceTimeZone": "UTC",
+                    "PanOSTimeNotBefore": "Feb 20 2021 18:20:41",
+                    "PanOSTLSVersion": "0.0",
+                    "PanOSTimeNotAfter": "Feb 28 2021 18:20:41",
+                    "destinationPort": 20122,
+                    "deviceCustomString3": "vsys1",
+                    "applicationProtocol": "gmail-base",
+                    "PanOSContainerName": "web-server-container",
+                    "PanOSTunnel": "N/A",
+                    "destinationTranslatedAddress": "89.160.20.112",
+                    "PanOSDeviceSN": "xxxxxxxxxxxxx",
+                    "deviceCustomString5": "ethernet4Zone-test1",
+                    "PanOSDestinationDeviceCategory": "dcat1",
+                    "PanOSDestinationDeviceHost": "web-server-02.example.com",
+                    "PanOSRootCommonName": "rootuser",
+                    "PanOSDestinationUUID": "00112233-4455-xxxx-8899-aabbccddeeff",
+                    "PanOSDestinationDeviceMac": "150083646537",
+                    "deviceCustomString4": "datacenter",
+                    "PanOSRootStatus": "close",
+                    "PanOSFirewallToClient": "Finished",
+                    "externalId": "xxxxxxxxxxxxx",
+                    "PanOSDestinationDeviceProfile": "dprof",
+                    "PanOSDestinationDeviceVendor": "cortex",
+                    "PanOSCertificateSerial": "0123456789ABCDEF0123456789ABCDEF",
+                    "PanOSChainStatus": "close",
+                    "PanOSContainerID": "12xc34r",
+                    "deviceCustomString1": "allow-all-employees",
+                    "PanOSTLSKeyExchange": "algo1",
+                    "destinationAddress": "175.16.199.4",
+                    "PanOSDestinationDeviceModel": "dmod",
+                    "ProfileToken": "xxxxx",
+                    "PanOSIssuerCommonName": "issuercn1",
+                    "deviceReceiptTime": "2021-03-01T20:35:54.000Z",
+                    "PanOSCommonNameLength": "0",
+                    "PanOSCommonName": "cname1",
+                    "PanOSSourceDeviceCategory": "cat1",
+                    "PanOSTimeReceivedManagementPlane": "Dec 12 2019 22:16:48",
+                    "deviceCustomNumber1Label": "SessionID",
+                    "PanOSRootCNLength": "0",
+                    "PanOSDestinationEDL": "https://sample.com/dedl.txt",
+                    "PanOSEllipticCurve": "secp256r1",
+                    "PanOSTimeGeneratedHighResolution": "Jul 25 2019 23:30:12",
+                    "PanOSSanctionedStateofApp": "true",
+                    "PanOSSourceDeviceProfile": "prof1",
+                    "deviceCustomString4Label": "FromZone",
+                    "PanOSSourceDeviceModel": "model1",
+                    "transportProtocol": "tcp",
+                    "PanOSDestinationDeviceOSFamily": "Linux",
+                    "PanOSDestinationDynamicAddressGroup": "test",
+                    "PanOSPolicyName": "policy1",
+                    "PanOSSourceDeviceHost": "web-server-01.example.com",
+                    "startTime": "2021-03-01T20:35:54.000Z",
+                    "deviceOutboundInterface": "tunnel.901",
+                    "sourcePort": 16524,
+                    "PanOSProxyType": "proxy1",
+                    "destinationTranslatedPort": 10128,
+                    "PanOSFingerprint": "D0:3A:9E:36:54:EC:91:6E:76:7F:A2:8C:BF:16:2E:82:65:32:AB:2B",
+                    "PanOSIssuerNameLength": "0",
+                    "PanOSClientToFirewall": "Finished",
+                    "PanOSSourceEDL": "https://example.com/sedl.txt",
+                    "baseEventCount": 1,
+                    "sourceAddress": "175.16.199.3"
+                }
+            },
+            "host": {
+                "name": "localhost.localdomain"
+            },
+            "agent": {
+                "name": "localhost.localdomain",
+                "type": "filebeat",
+                "version": "8.15.0",
+                "ephemeral_id": "e340dcc7-d349-43f0-854b-5b2bb2bfe7e4",
+                "id": "ca5a0f57-cf05-496b-96ad-990351fce514"
+            }
         }
     ]
 }