[SOPHOS UTM] Add GeopIP conditions (elastic#15130)

* [SOPHOS UTM] Add GeopIP conditions
Prevent pipeline errors if source/destionation .ip is a empty string

Author: SimonKoetting

packages/sophos/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.15.2"
+  changes:
+    - description: Add conditions to GeoIP processors to prevent failure on empty strings
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15130
 - version: "3.15.1"
   changes:
     - description: Changed owners.

packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/dhcp.yml

@@ -121,6 +121,7 @@ processors:
       target_field: client.geo
       ignore_missing: true
       tag: geo_client_ip
+      if: ctx.client?.ip != ''
 
   # IP Autonomous System (AS) Lookup
   - geoip:
@@ -132,6 +133,7 @@ processors:
           - organization_name
       ignore_missing: true
       tag: geo_client_as
+      if: ctx.client?.ip != ''
   - rename:
       field: client.as.asn
       target_field: client.as.number

packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/dns.yml

@@ -55,6 +55,7 @@ processors:
       target_field: server.geo
       ignore_missing: true
       tag: geo_server_ip
+      if: ctx.server?.ip != ''
 
   # IP Autonomous System (AS) Lookup
   - geoip:
@@ -66,6 +67,7 @@ processors:
           - organization_name
       ignore_missing: true
       tag: geo_server_as
+      if: ctx.server?.ip != ''
   - rename:
       field: server.as.asn
       target_field: server.as.number

packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/http.yml

@@ -209,11 +209,13 @@ processors:
       target_field: source.geo
       ignore_missing: true
       tag: geo_source_ip
+      if: ctx.source?.ip != ''
   - geoip:
       field: destination.ip
       target_field: destination.geo
       ignore_missing: true
       tag: geo_destination_ip
+      if: ctx.destination?.ip != ''
 
   # IP Autonomous System (AS) Lookup
   - geoip:
@@ -225,6 +227,7 @@ processors:
           - organization_name
       ignore_missing: true
       tag: geo_source_as
+      if: ctx.source?.ip != ''
   - geoip:
       database_file: GeoLite2-ASN.mmdb
       field: destination.ip
@@ -234,6 +237,7 @@ processors:
           - organization_name
       ignore_missing: true
       tag: geo_destination_as
+      if: ctx.destination?.ip != ''
   - rename:
       field: source.as.asn
       target_field: source.as.number

packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/packetfilter.yml

@@ -190,11 +190,13 @@ processors:
       target_field: source.geo
       ignore_missing: true
       tag: geo_source_ip
+      if: ctx.source?.ip != ''
   - geoip:
       field: destination.ip
       target_field: destination.geo
       ignore_missing: true
       tag: geo_destination_ip
+      if: ctx.destination?.ip != ''
 
   # IP Autonomous System (AS) Lookup
   - geoip:
@@ -206,6 +208,7 @@ processors:
           - organization_name
       ignore_missing: true
       tag: geo_source_as
+      if: ctx.source?.ip != ''
   - geoip:
       database_file: GeoLite2-ASN.mmdb
       field: destination.ip
@@ -215,6 +218,7 @@ processors:
           - organization_name
       ignore_missing: true
       tag: geo_destination_as
+      if: ctx.destination?.ip != ''
   - rename:
       field: source.as.asn
       target_field: source.as.number

packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml

@@ -525,12 +525,12 @@ processors:
     field: source.ip
     target_field: source.geo
     ignore_missing: true
-    if: "ctx.source?.geo == null"
+    if: "ctx.source?.geo == null && ctx.source?.ip != ''"
 - geoip:
     field: destination.ip
     target_field: destination.geo
     ignore_missing: true
-    if: "ctx.destination?.geo == null"
+    if: "ctx.destination?.geo == null && ctx.destination?.ip != ''"
 - geoip:
     database_file: GeoLite2-ASN.mmdb
     field: source.ip
@@ -539,6 +539,7 @@ processors:
       - asn
       - organization_name
     ignore_missing: true
+    if: "ctx.source?.ip != ''"
 - geoip:
     database_file: GeoLite2-ASN.mmdb
     field: destination.ip
@@ -547,16 +548,17 @@ processors:
       - asn
       - organization_name
     ignore_missing: true
+    if: "ctx.destination?.ip != ''"
 - geoip:
     field: source.nat.ip
     target_field: source.geo
     ignore_missing: true
-    if: "ctx.source?.geo == null"
+    if: "ctx.source?.geo == null && ctx.source?.nat?.ip != ''"
 - geoip:
     field: destination.nat.ip
     target_field: destination.geo
     ignore_missing: true
-    if: "ctx.destination?.geo == null"
+    if: "ctx.destination?.geo == null && ctx.destination?.nat?.ip != ''"
 - geoip:
     database_file: GeoLite2-ASN.mmdb
     field: source.nat.ip
@@ -565,7 +567,7 @@ processors:
       - asn
       - organization_name
     ignore_missing: true
-    if: "ctx.source?.as == null"
+    if: "ctx.source?.as == null && ctx.source?.nat?.ip != ''"
 - geoip:
     database_file: GeoLite2-ASN.mmdb
     field: destination.nat.ip
@@ -574,7 +576,7 @@ processors:
       - asn
       - organization_name
     ignore_missing: true
-    if: "ctx.destination?.as == null"
+    if: "ctx.destination?.as == null && ctx.destination?.nat?.ip != ''"
 - rename:
     field: source.as.asn
     target_field: source.as.number

packages/sophos/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: sophos
 title: Sophos
-version: "3.15.1"
+version: "3.15.2"
 description: Collect logs from Sophos with Elastic Agent.
 categories:
   - "security"