From f3d9e30e523acc8dc24917b3e8a3afa54cde7e6d Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 14 Apr 2020 20:58:42 +0200 Subject: [PATCH] CEF CheckPoint: adjust fields for forward compatibility (#17681) This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related #16907 #17682 (cherry picked from commit 4f6da4f9c6ac919d8824ba8b142f167544d45065) --- filebeat/docs/fields.asciidoc | 55 ++++++-------- filebeat/docs/modules/cef.asciidoc | 16 ++--- .../filebeat/module/cef/_meta/docs.asciidoc | 16 ++--- x-pack/filebeat/module/cef/fields.go | 2 +- .../filebeat/module/cef/log/_meta/fields.yml | 72 ++++++++++++++----- .../module/cef/log/ingest/cp-pipeline.yml | 36 ++++++---- .../cef/log/test/checkpoint.log-expected.json | 4 +- 7 files changed, 118 insertions(+), 83 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 49c745b50dc..69b79182c08 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -4894,7 +4894,7 @@ type: keyword -- Confidence level determined. -type: keyword +type: integer -- @@ -4988,15 +4988,6 @@ type: long -- -*`checkpoint.file_hash`*:: -+ --- -File hash (SHA1 or MD5). - -type: keyword - --- - *`checkpoint.frequency`*:: + -- @@ -5051,6 +5042,15 @@ type: keyword -- +*`checkpoint.malware_family`*:: ++ +-- +Malware family. + +type: keyword + +-- + *`checkpoint.peer_gateway`*:: + -- @@ -5065,7 +5065,7 @@ type: ip -- Protection performance impact. -type: keyword +type: integer -- @@ -5123,16 +5123,25 @@ type: keyword -- -*`checkpoint.malware_status`*:: +*`checkpoint.spyware_name`*:: + -- -Malware status. +Spyware name. type: keyword -- -*`checkpoint.subscription_expiration`*:: +*`checkpoint.spyware_status`*:: ++ +-- +Spyware status. + +type: keyword + +-- + +*`checkpoint.subs_exp`*:: + -- The expiration date of the subscription. @@ -5195,24 +5204,6 @@ type: keyword -- -*`checkpoint.malware_name`*:: -+ --- -Malware name. - -type: keyword - --- - -*`checkpoint.malware_family`*:: -+ --- -Malware family. - -type: keyword - --- - *`checkpoint.voip_log_type`*:: + -- diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index bb5b77dee42..38ac4e4cd5b 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -70,9 +70,9 @@ Check Point CEF extensions are mapped as follows: | deviceInboundInterface | - | observer.ingress.interface.name | - | | deviceOutboundInterface | - | observer.egress.interface.name | - | | externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash | +| fileHash | - | file.hash.{md5,sha1} | - | | reason | - | - | checkpoint.termination_reason | -| checkrequestCookies | - | - | checkpoint.cookie | +| requestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | | Signature | - | vulnerability.id | - | | Recipient | - | destination.user.email | - | @@ -80,7 +80,7 @@ Check Point CEF extensions are mapped as follows: | deviceCustomFloatingPoint1 | update version | observer.version | - | | deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | | deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - | +.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | | email recipients number | - | checkpoint.email_recipients_num | | payload | network.bytes | - | .2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | @@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows: | update status | - | checkpoint.update_status | | peer gateway | - | checkpoint.peer_gateway | | categories | rule.category | - | -.4+| deviceCustomString6 | application name | process.name | - | +.4+| deviceCustomString6 | application name | network.application | - | | virus name | - | checkpoint.virus_name | - | malware name | - | checkpoint.malware_name | + | malware name | - | checkpoint.spyware_name | | malware family | - | checkpoint.malware_family | .5+| deviceCustomString3 | user group | group.name | - | | incident extension | - | checkpoint.incident_extension | @@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows: | vlan id | network.vlan.id | - | | authentication method | - | checkpoint.auth_method | | email session id | - | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | | deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | .2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | | destination phone number | - | checkpoint.dst_phone_number | | flexString1 | application signature id | - | checkpoint.app_sig_id | -.2+| flexString2 | malware action | event.action | - | +.2+| flexString2 | malware action | rule.description | - | | attack information | event.action | - | | rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | +| ifname | - | observer.ingress.interface.name | - | | inzone | - | observer.ingress.zone | - | | outzone | - | observer.egress.zone | - | | product | - | observer.product | - | diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index d3f97e011dd..00d2ab1e791 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -65,9 +65,9 @@ Check Point CEF extensions are mapped as follows: | deviceInboundInterface | - | observer.ingress.interface.name | - | | deviceOutboundInterface | - | observer.egress.interface.name | - | | externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash | +| fileHash | - | file.hash.{md5,sha1} | - | | reason | - | - | checkpoint.termination_reason | -| checkrequestCookies | - | - | checkpoint.cookie | +| requestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | | Signature | - | vulnerability.id | - | | Recipient | - | destination.user.email | - | @@ -75,7 +75,7 @@ Check Point CEF extensions are mapped as follows: | deviceCustomFloatingPoint1 | update version | observer.version | - | | deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | | deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - | +.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | | email recipients number | - | checkpoint.email_recipients_num | | payload | network.bytes | - | .2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | @@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows: | update status | - | checkpoint.update_status | | peer gateway | - | checkpoint.peer_gateway | | categories | rule.category | - | -.4+| deviceCustomString6 | application name | process.name | - | +.4+| deviceCustomString6 | application name | network.application | - | | virus name | - | checkpoint.virus_name | - | malware name | - | checkpoint.malware_name | + | malware name | - | checkpoint.spyware_name | | malware family | - | checkpoint.malware_family | .5+| deviceCustomString3 | user group | group.name | - | | incident extension | - | checkpoint.incident_extension | @@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows: | vlan id | network.vlan.id | - | | authentication method | - | checkpoint.auth_method | | email session id | - | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | | deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | .2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | | destination phone number | - | checkpoint.dst_phone_number | | flexString1 | application signature id | - | checkpoint.app_sig_id | -.2+| flexString2 | malware action | event.action | - | +.2+| flexString2 | malware action | rule.description | - | | attack information | event.action | - | | rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | +| ifname | - | observer.ingress.interface.name | - | | inzone | - | observer.ingress.zone | - | | outzone | - | observer.egress.zone | - | | product | - | observer.product | - | diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index 217d805818d..5e33a41c840 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJy8mctu7DYPx/d5Ci6/b5EAXXQziwIHubSDIsUASc9WUGTaw44sqhLtZPr0heS5nWQSOXbQWQW29fuTFCWRyiVscLsAg/Vly1Vn8QJASCwu4Pr27gKgwmgCeSF2C/jlAgDgPn8INQcIaJB6ck36Giw3EbjHAA/baLm5gsc1wsAFXVURenQVh0yJHg3VZKAmtFUEcukTSkIgDLLG/Zv0Z4WGK1QGa/CBDca4w/jAPVUYry5g9/0iP0+/S3C6xUWy1KBncnJ4BSBbjwtoAnf+5GmFte6sqIxaQK1txB9ev4nG/nc3GJuicnfQg+suCrfwICEFqdXek2viycDXNp/a3VPooqLqh5d7yze4febw+t0HBqbf90SE5c3hxds/9uJmjWbzHwbtOunBKkfNDFGLP0btamTYtPcqUNxMDds37y0ZnTMxca7eBum1XMQeA8n2KyRlHVAL7JFj1KmZkSVpjUZqnJYuICxv4HlNZp1XnT4x61lHqFDQCFbwVDSrk7VqUdY82a6VjjF9k1noZG+IDyxs2EIXsSqYYbRgw2HyvFzvxpdk2NVUoTOoLPZoJ8sdOJA5OeChJVd2lJ1DI9STbFUULTjDhgMJMqkozRuaLLf8/XZHKMhUUZRfs0PluvYJw1TBG4xCbkil5epylZAFaWw1WWXYSeDJc3vrGnKYiaPkpi/opRMMTtsBBMubUXoBDXlCJzEF+Ky2Zdd8JPxHnhjgGo6wUdoRYyR2X+fzDjjW9+iZvzDiGTdau3v6C41MTqtBcYCUBHt0ogx37rzc+PnNpAg6Rjak04nwTDKcGanu+9iMmiyqtY7rqT7fkUVIAPjfw2/ffgIOcH/z8/9LsgH/7tCZyYfBg9HuSCmokWm9SuhJkV5e36/yp2NUUmU8XSWNLqlU6fiV7fv+jFkjO8got5zJmgpfBF1ayZNThUOrJaUsB2oordFKiy7qCzap+FK6V+R63uAs33PmDJwx7nvEoBot+KzPJyv5j9TuNaWjLTmdFmSiwQOaLjkEvw7YogWhTpFLFQ21Xk/fn1aBU82YC7cjFAZoyYrD2Bl784kBrbbPOte444XTg8nTvm9xj+V1wu0nRotoU+ouTkyZk4GPW591j7hcPqdOeyjqx1sUjXYqYOzs5KTI62FAlMTQRQ6qfW+LGyOWEdCW97m5Xdzjpzq3XTbmar2LUzXvdzk9UEoOdk+HoQpfPIVcB5/Vrt72EG/axiMif75P7FOZgkVivKqtbib7/3i9Aq/NBgUyp6SX26lssgqo4/ST5fFIgoFUkO58itHM6f4zQ8bNdhcxzJWLGNJC9exiafV03fRN+vZlV0AXt+bhTmzOrjzcgY3ow/YLdI7Yfnl+Qq7WLdnJe9BecKCUgsnkleVm1tHynZerVPXnEedy8nBRgPXVoaA7TcmvvlW8fZGgd3fNl4d75qP0RxeJZ+NkvPrUpeJ7kE8dMOcr03p0Nr5T2f7DbsZ4q7cY1Oil/gFjnh+Wm1kmcDPLhVaLWY8tSs8SnBalq0qcVaGz+N6Vy2jWbMjQH80dH8nMm1juZF6Geh1S5xiG/2VNhQSuupFNz1lAklfavFtdjYfMytM4XFbMy4yIoafUCM4wpMdQbOP/DQAA//8I9Guw" + return "eJy8mdtu67YShu/zFPMCyQP4YgMbORRGsQoDSdctwVAjmbXEYcmhHPfpC1I+JVFMuQqXrwxTmv/zz+FhyFvY4G4BCuvbjqrQ4g0Aa25xAfePTzcAFXrltGVNZgH/uwEA+JEehJocOFSoe22a+DS01HigHh0873xLzR28rBGGuCCrykOPpiKXoniLStdaQa2xrTxoEx/RUQiYgNd4aIlfK1RUoVBYg3Wk0Pt9GOuo1xX6uxvYP79Iv8fPLRjZ4SKSKrSkDR+bAHhncQGNo2DPfq2wlqFlkUItoJatx3fNn9w4fJ4G2OjK01EP7oNn6uCZXTSpk9Zq0/izFz8yn3P32gUvdPWu8UC+wd2W3Me2C4Dx8zNGhOXDseHzl4O4WqPa/ELT7qMerJJranDNv3ftbqJt0lrhtN9cYVtM2q3TjAtgF/CSqf+3ttVKpjyNKnefLfwI47FHp3lXHojXDiXDQXAKm26uy7AryOLo97oxkoNDWD7Adq3VOo1neQa9lR4qZFSMFbxmoQOvRYe8pkLUK+l9jJCU0PAB0zpiUtRC8FhlIJVkbMgV6vH7ffQcBJlaV2gUihZ7bEdhtGFs0M2AOapAUkld6Tpt8iaRMahY95p3wrPkjzrfZdeZDiSdLBhtdCGY5e+P+/gZiMqzsGsyKEzoXj/10DfhPKBnbYYEX65uV1EwA4ad1K1QZNjReE7Npno0jTaY9CbBlJrAlobRGdkOMrB8mETjUGmr0bCPXTdK1pJp/jvWHykhgGo4SU0i8+i9JvOr/NrLTfXNW6KRvrysP05+DWRUnYwYXv9CxYWyfuAZJHI4PRoWioIZh/muBEs6HqT3pLSMC/RW87CExw3+Zcja4d8BjSq0DD4raU4aGRatOiuicAG7lvc/VinQFIZYx5RiiLFzDFXc0vDuay/mzwJ7iUmWGJWIBL4xmjhblGF6ItdJjhlNTjc6Dv9KsszSMTZxIy1kL7TpaYMFfUv5PKhMsa6T7VY6FLXsdFtoiP0YNGDQyABZRCcaybiV4zjaziHRcYcSezBOPlELnlGF2Dvw2yCa5XN1TIO4IdadlV/M47N3xCtHsZhJNcNJEgbJHOPx3WKL9BnePoXyq98ZVvyhUP4fToRONWMUO3S5ZJYqV26fgZYbqC87m6hOYqkmBKZ9HTud1ytphEMf2kKbijSpDAI5FDSenOi+Wp/moyQB6PKLVNkDk5erDkm83aVptmTeJ4Up5c4BJlaxwZfFGTRyQOHVC3z7OLEPKNXnkv7K0yN8s9oN1WkMdpgKourhwQwgKyvqVjaFzHq5X4GVaoMMSSVHk05G0h8SDqUvtd15OenAoJMBCzb6WzSv/kwS09IqeHRlYTy6OC1aMj436EIotRQ/vu1L0ewCPFwFlJuDhouBCTNQT9qKlpqCy+tPWq5idZnijWXK8ZwO67tj3XCeKN99TfH4xk7uL69ujxdXJ+lLNxOjLiorrrql+CrIVQvleIlTT06qL0qkf8jMeL+VO3Ri8hC7EGPe/2ipmYVAzay/0ElW66lb/tEIRrKQVcWmFS60+NXJ4+RYs4MMhfbc971W8zqWAs/LUCsdmsGPGUEcVWHiweFogCgvZCo2ZgaZlad+OG2blxkeXa9jET4DpEeXPS36NwAA//+5zok/" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml index 40f6cdb4bfb..264e15e12ed 100644 --- a/x-pack/filebeat/module/cef/log/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -18,170 +18,208 @@ fields: - name: app_risk type: keyword + overwrite: true description: Application risk. - name: app_severity type: keyword + overwrite: true description: Application threat severity. - name: app_sig_id type: keyword + overwrite: true description: The signature ID which the application was detected by. - name: auth_method type: keyword + overwrite: true description: Password authentication protocol used. - name: category type: keyword + overwrite: true description: Category. - name: confidence_level - type: keyword + type: integer + overwrite: true description: Confidence level determined. - name: connectivity_state type: keyword + overwrite: true description: Connectivity state. - name: cookie type: keyword + overwrite: true description: IKE cookie. - name: dst_phone_number type: keyword + overwrite: true description: Destination IP-Phone. - name: email_control type: keyword + overwrite: true description: Engine name. - name: email_id type: keyword + overwrite: true description: Internal email ID. - name: email_recipients_num type: long + overwrite: true description: Number of recipients. - name: email_session_id type: keyword + overwrite: true description: Internal email session ID. - name: email_spool_id + overwrite: true type: keyword + description: Internal email spool ID. - name: email_subject type: keyword + overwrite: true description: Email subject. - name: event_count type: long + overwrite: true description: Number of events associated with the log. - - name: file_hash - type: keyword - description: File hash (SHA1 or MD5). - - name: frequency type: keyword + overwrite: true description: Scan frequency. - name: icmp_type type: long + overwrite: true description: ICMP type. - name: icmp_code type: long + overwrite: true description: ICMP code. - name: identity_type type: keyword + overwrite: true description: Identity type. - name: incident_extension type: keyword + overwrite: true description: Format of original data. - name: integrity_av_invoke_type type: keyword + overwrite: true description: Scan invoke type. + - name: malware_family + type: keyword + overwrite: true + description: Malware family. + - name: peer_gateway type: ip + overwrite: true description: Main IP of the peer Security Gateway. - name: performance_impact - type: keyword + type: integer + overwrite: true description: Protection performance impact. - name: protection_id type: keyword + overwrite: true description: Protection malware ID. - name: protection_name type: keyword + overwrite: true description: Specific signature name of the attack. - name: protection_type type: keyword + overwrite: true description: Type of protection used to detect the attack. - name: scan_result type: keyword + overwrite: true description: Scan result. - name: sensor_mode type: keyword + overwrite: true description: Sensor mode. - name: severity type: keyword + overwrite: true description: Threat severity. - - name: malware_status + - name: spyware_name type: keyword - description: Malware status. + overwrite: true + description: Spyware name. - - name: subscription_expiration + - name: spyware_status + type: keyword + overwrite: true + description: Spyware status. + + - name: subs_exp type: date + overwrite: true description: The expiration date of the subscription. - name: tcp_flags type: keyword + overwrite: true description: TCP packet flags. - name: termination_reason type: keyword + overwrite: true description: Termination reason. - name: update_status type: keyword + overwrite: true description: Update status. - name: user_status type: keyword + overwrite: true description: User response. - name: uuid type: keyword + overwrite: true description: External ID. - name: virus_name type: keyword + overwrite: true description: Virus name. - - name: malware_name - type: keyword - description: Malware name. - - - name: malware_family - type: keyword - description: Malware family. - - name: voip_log_type type: keyword + overwrite: true description: VoIP log types. - name: cef.extensions diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml index f3f38355ed9..eea2f8fd592 100644 --- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml @@ -76,7 +76,7 @@ processors: - name: deviceExternalId to: observer.type - # Product Family + # Product Family (override deviceExternalId if present). - name: deviceFacility to: observer.type convert: @@ -104,6 +104,10 @@ processors: to: checkpoint.termination_reason # Possibly an IKE cookie + - name: requestCookies + to: checkpoint.cookie + + # Probably a typo in CP's CEF docs - name: checkrequestCookies to: checkpoint.cookie @@ -136,7 +140,7 @@ processors: - name: deviceCustomNumber1 labels: payload: network.bytes - elapsed time in seconds: host.uptime + elapsed time in seconds: event.duration email recipients number: checkpoint.email_recipients_num - name: deviceCustomNumber2 @@ -172,9 +176,9 @@ processors: - name: deviceCustomString6 labels: - application name: process.name + application name: network.application virus name: checkpoint.virus_name - malware name: checkpoint.malware_name + malware name: checkpoint.spyware_name malware family: checkpoint.malware_family - name: deviceCustomString3 @@ -208,7 +212,7 @@ processors: - name: deviceCustomDate2 labels: - subscription expiration: checkpoint.subscription_expiration + subscription expiration: checkpoint.subs_exp - name: deviceFlexNumber1 labels: @@ -225,7 +229,7 @@ processors: - name: flexString2 labels: - malware action: event.action + malware action: rule.description attack information: event.action - name: rule_uid @@ -295,15 +299,19 @@ processors: field: event.duration ignore_missing: true - # checkpoint.file_hash can be either MD5 or SHA1. - - set: - field: file.hash.md5 - value: '{{checkpoint.file_hash}}' + # checkpoint.file_hash can be either MD5, SHA1 or SHA256. + - rename: + field: checkpoint.file_hash + target_field: file.hash.md5 if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32' - - set: - field: file.hash.sha1 - value: '{{checkpoint.file_hash}}' + - rename: + field: checkpoint.file_hash + target_field: file.hash.sha1 if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40' + - rename: + field: checkpoint.file_hash + target_field: file.hash.sha256 + if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64' # Event kind is 'event' by default. 'alert' when a risk score and rule info # is present. @@ -324,7 +332,7 @@ processors: - set: field: event.category value: malware - if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.malware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' + if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' - set: field: event.category value: intrusion_detection diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index 0cc100922d0..1dce9c9aae7 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -116,8 +116,7 @@ "cef.severity": "Unknown", "cef.version": "0", "checkpoint.email_control": "SMTP Policy Restrictions", - "checkpoint.file_hash": "55f4a511e6f630a6b1319505414f114e7bcaf13d", - "checkpoint.subscription_expiration": "2020-04-11T10:42:13.000Z", + "checkpoint.subs_exp": "2020-04-11T10:42:13.000Z", "destination.port": 25, "event.action": "Bypass", "event.code": "Log", @@ -165,7 +164,6 @@ "cef.version": "0", "checkpoint.app_risk": "High", "checkpoint.event_count": "12", - "checkpoint.file_hash": "580a783c1cb2b20613323f715d231a69", "checkpoint.severity": "Very-High", "destination.ip": "::1", "event.action": "Drop",