Skip to content

Commit

Permalink
CEF CheckPoint: adjust fields for forward compatibility (elastic#17681)
Browse files Browse the repository at this point in the history 
This PR makes some changes to CEF module's custom mappings for Check Point
devices to ensure compatibility with the upcoming checkpoint module.

Check Point has its custom log format, for which a new module is being
prepared. The idea behind this new module as well as CEF custom mappings for
Check Point (this PR), is to use ECS whenever possible and map the rest
under checkpoint.* using the original field name from Check Point.

In the original PR for CEF, a few mistakes had been done in field names and
types. Also taking the opportunity to change some ECS mappings.

Related elastic#16907 elastic#17682

(cherry picked from commit 4f6da4f)
  • Loading branch information
@adriansr
adriansr committed Apr 14, 2020
1 parent d120dd2 commit f3d9e30
Show file tree
Hide file tree
Showing 7 changed files with 118 additions and 83 deletions.
55 changes: 23 additions & 32 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4894,7 +4894,7 @@ type: keyword
--
Confidence level determined.
type: keyword
type: integer
--
Expand Down Expand Up @@ -4988,15 +4988,6 @@ type: long
--
*`checkpoint.file_hash`*::
+
--
File hash (SHA1 or MD5).
type: keyword
--
*`checkpoint.frequency`*::
+
--
Expand Down Expand Up @@ -5051,6 +5042,15 @@ type: keyword
--
*`checkpoint.malware_family`*::
+
--
Malware family.
type: keyword
--
*`checkpoint.peer_gateway`*::
+
--
Expand All @@ -5065,7 +5065,7 @@ type: ip
--
Protection performance impact.
type: keyword
type: integer
--
Expand Down Expand Up @@ -5123,16 +5123,25 @@ type: keyword
--
*`checkpoint.malware_status`*::
*`checkpoint.spyware_name`*::
+
--
Malware status.
Spyware name.
type: keyword
--
*`checkpoint.subscription_expiration`*::
*`checkpoint.spyware_status`*::
+
--
Spyware status.
type: keyword
--
*`checkpoint.subs_exp`*::
+
--
The expiration date of the subscription.
Expand Down Expand Up @@ -5195,24 +5204,6 @@ type: keyword
--
*`checkpoint.malware_name`*::
+
--
Malware name.
type: keyword
--
*`checkpoint.malware_family`*::
+
--
Malware family.
type: keyword
--
*`checkpoint.voip_log_type`*::
+
--
Expand Down
16 changes: 8 additions & 8 deletions filebeat/docs/modules/cef.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,17 +70,17 @@ Check Point CEF extensions are mapped as follows:
| deviceInboundInterface | - | observer.ingress.interface.name | - |
| deviceOutboundInterface | - | observer.egress.interface.name | - |
| externalId | - | - | checkpoint.uuid |
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
| fileHash | - | file.hash.{md5,sha1} | - |
| reason | - | - | checkpoint.termination_reason |
| checkrequestCookies | - | - | checkpoint.cookie |
| requestCookies | - | - | checkpoint.cookie |
| sourceNtDomain | - | dns.question.name | - |
| Signature | - | vulnerability.id | - |
| Recipient | - | destination.user.email | - |
| Sender | - | source.user.email | - |
| deviceCustomFloatingPoint1 | update version | observer.version | - |
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
| email recipients number | - | checkpoint.email_recipients_num |
| payload | network.bytes | - |
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
Expand All @@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows:
| update status | - | checkpoint.update_status |
| peer gateway | - | checkpoint.peer_gateway |
| categories | rule.category | - |
.4+| deviceCustomString6 | application name | process.name | - |
.4+| deviceCustomString6 | application name | network.application | - |
| virus name | - | checkpoint.virus_name |
| malware name | - | checkpoint.malware_name |
| malware name | - | checkpoint.spyware_name |
| malware family | - | checkpoint.malware_family |
.5+| deviceCustomString3 | user group | group.name | - |
| incident extension | - | checkpoint.incident_extension |
Expand All @@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows:
| vlan id | network.vlan.id | - |
| authentication method | - | checkpoint.auth_method |
| email session id | - | checkpoint.email_session_id |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
| destination phone number | - | checkpoint.dst_phone_number |
| flexString1 | application signature id | - | checkpoint.app_sig_id |
.2+| flexString2 | malware action | event.action | - |
.2+| flexString2 | malware action | rule.description | - |
| attack information | event.action | - |
| rule_uid | - | rule.uuid | - |
| ifname | - | observer.ingress.interface.name | - |
| ifname | - | observer.ingress.interface.name | - |
| inzone | - | observer.ingress.zone | - |
| outzone | - | observer.egress.zone | - |
| product | - | observer.product | - |
Expand Down
16 changes: 8 additions & 8 deletions x-pack/filebeat/module/cef/_meta/docs.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,17 +65,17 @@ Check Point CEF extensions are mapped as follows:
| deviceInboundInterface | - | observer.ingress.interface.name | - |
| deviceOutboundInterface | - | observer.egress.interface.name | - |
| externalId | - | - | checkpoint.uuid |
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
| fileHash | - | file.hash.{md5,sha1} | - |
| reason | - | - | checkpoint.termination_reason |
| checkrequestCookies | - | - | checkpoint.cookie |
| requestCookies | - | - | checkpoint.cookie |
| sourceNtDomain | - | dns.question.name | - |
| Signature | - | vulnerability.id | - |
| Recipient | - | destination.user.email | - |
| Sender | - | source.user.email | - |
| deviceCustomFloatingPoint1 | update version | observer.version | - |
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
| email recipients number | - | checkpoint.email_recipients_num |
| payload | network.bytes | - |
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
Expand All @@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows:
| update status | - | checkpoint.update_status |
| peer gateway | - | checkpoint.peer_gateway |
| categories | rule.category | - |
.4+| deviceCustomString6 | application name | process.name | - |
.4+| deviceCustomString6 | application name | network.application | - |
| virus name | - | checkpoint.virus_name |
| malware name | - | checkpoint.malware_name |
| malware name | - | checkpoint.spyware_name |
| malware family | - | checkpoint.malware_family |
.5+| deviceCustomString3 | user group | group.name | - |
| incident extension | - | checkpoint.incident_extension |
Expand All @@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows:
| vlan id | network.vlan.id | - |
| authentication method | - | checkpoint.auth_method |
| email session id | - | checkpoint.email_session_id |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
| destination phone number | - | checkpoint.dst_phone_number |
| flexString1 | application signature id | - | checkpoint.app_sig_id |
.2+| flexString2 | malware action | event.action | - |
.2+| flexString2 | malware action | rule.description | - |
| attack information | event.action | - |
| rule_uid | - | rule.uuid | - |
| ifname | - | observer.ingress.interface.name | - |
| ifname | - | observer.ingress.interface.name | - |
| inzone | - | observer.ingress.zone | - |
| outzone | - | observer.egress.zone | - |
| product | - | observer.product | - |
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cef/fields.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit f3d9e30

Please sign in to comment.