Skip to content

Commit 4f6da4f

Browse files
adriansradriansr
authored
CEF CheckPoint: adjust fields for forward compatibility (#17681)
This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related #16907 #17682
1 parent 70fba87 commit 4f6da4f

File tree

7 files changed

+118
-83
lines changed

7 files changed

+118
-83
lines changed

filebeat/docs/fields.asciidoc

Lines changed: 23 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -4895,7 +4895,7 @@ type: keyword
48954895
--
48964896
Confidence level determined.
48974897
4898-
type: keyword
4898+
type: integer
48994899
49004900
--
49014901
@@ -4989,15 +4989,6 @@ type: long
49894989
49904990
--
49914991
4992-
*`checkpoint.file_hash`*::
4993-
+
4994-
--
4995-
File hash (SHA1 or MD5).
4996-
4997-
type: keyword
4998-
4999-
--
5000-
50014992
*`checkpoint.frequency`*::
50024993
+
50034994
--
@@ -5052,6 +5043,15 @@ type: keyword
50525043
50535044
--
50545045
5046+
*`checkpoint.malware_family`*::
5047+
+
5048+
--
5049+
Malware family.
5050+
5051+
type: keyword
5052+
5053+
--
5054+
50555055
*`checkpoint.peer_gateway`*::
50565056
+
50575057
--
@@ -5066,7 +5066,7 @@ type: ip
50665066
--
50675067
Protection performance impact.
50685068
5069-
type: keyword
5069+
type: integer
50705070
50715071
--
50725072
@@ -5124,16 +5124,25 @@ type: keyword
51245124
51255125
--
51265126
5127-
*`checkpoint.malware_status`*::
5127+
*`checkpoint.spyware_name`*::
51285128
+
51295129
--
5130-
Malware status.
5130+
Spyware name.
51315131
51325132
type: keyword
51335133
51345134
--
51355135
5136-
*`checkpoint.subscription_expiration`*::
5136+
*`checkpoint.spyware_status`*::
5137+
+
5138+
--
5139+
Spyware status.
5140+
5141+
type: keyword
5142+
5143+
--
5144+
5145+
*`checkpoint.subs_exp`*::
51375146
+
51385147
--
51395148
The expiration date of the subscription.
@@ -5196,24 +5205,6 @@ type: keyword
51965205
51975206
--
51985207
5199-
*`checkpoint.malware_name`*::
5200-
+
5201-
--
5202-
Malware name.
5203-
5204-
type: keyword
5205-
5206-
--
5207-
5208-
*`checkpoint.malware_family`*::
5209-
+
5210-
--
5211-
Malware family.
5212-
5213-
type: keyword
5214-
5215-
--
5216-
52175208
*`checkpoint.voip_log_type`*::
52185209
+
52195210
--

filebeat/docs/modules/cef.asciidoc

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -70,17 +70,17 @@ Check Point CEF extensions are mapped as follows:
7070
| deviceInboundInterface | - | observer.ingress.interface.name | - |
7171
| deviceOutboundInterface | - | observer.egress.interface.name | - |
7272
| externalId | - | - | checkpoint.uuid |
73-
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
73+
| fileHash | - | file.hash.{md5,sha1} | - |
7474
| reason | - | - | checkpoint.termination_reason |
75-
| checkrequestCookies | - | - | checkpoint.cookie |
75+
| requestCookies | - | - | checkpoint.cookie |
7676
| sourceNtDomain | - | dns.question.name | - |
7777
| Signature | - | vulnerability.id | - |
7878
| Recipient | - | destination.user.email | - |
7979
| Sender | - | source.user.email | - |
8080
| deviceCustomFloatingPoint1 | update version | observer.version | - |
8181
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
8282
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
83-
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
83+
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
8484
| email recipients number | - | checkpoint.email_recipients_num |
8585
| payload | network.bytes | - |
8686
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
@@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows:
100100
| update status | - | checkpoint.update_status |
101101
| peer gateway | - | checkpoint.peer_gateway |
102102
| categories | rule.category | - |
103-
.4+| deviceCustomString6 | application name | process.name | - |
103+
.4+| deviceCustomString6 | application name | network.application | - |
104104
| virus name | - | checkpoint.virus_name |
105-
| malware name | - | checkpoint.malware_name |
105+
| malware name | - | checkpoint.spyware_name |
106106
| malware family | - | checkpoint.malware_family |
107107
.5+| deviceCustomString3 | user group | group.name | - |
108108
| incident extension | - | checkpoint.incident_extension |
@@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows:
122122
| vlan id | network.vlan.id | - |
123123
| authentication method | - | checkpoint.auth_method |
124124
| email session id | - | checkpoint.email_session_id |
125-
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
125+
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
126126
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
127127
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
128128
| destination phone number | - | checkpoint.dst_phone_number |
129129
| flexString1 | application signature id | - | checkpoint.app_sig_id |
130-
.2+| flexString2 | malware action | event.action | - |
130+
.2+| flexString2 | malware action | rule.description | - |
131131
| attack information | event.action | - |
132132
| rule_uid | - | rule.uuid | - |
133-
| ifname | - | observer.ingress.interface.name | - |
133+
| ifname | - | observer.ingress.interface.name | - |
134134
| inzone | - | observer.ingress.zone | - |
135135
| outzone | - | observer.egress.zone | - |
136136
| product | - | observer.product | - |

x-pack/filebeat/module/cef/_meta/docs.asciidoc

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -65,17 +65,17 @@ Check Point CEF extensions are mapped as follows:
6565
| deviceInboundInterface | - | observer.ingress.interface.name | - |
6666
| deviceOutboundInterface | - | observer.egress.interface.name | - |
6767
| externalId | - | - | checkpoint.uuid |
68-
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
68+
| fileHash | - | file.hash.{md5,sha1} | - |
6969
| reason | - | - | checkpoint.termination_reason |
70-
| checkrequestCookies | - | - | checkpoint.cookie |
70+
| requestCookies | - | - | checkpoint.cookie |
7171
| sourceNtDomain | - | dns.question.name | - |
7272
| Signature | - | vulnerability.id | - |
7373
| Recipient | - | destination.user.email | - |
7474
| Sender | - | source.user.email | - |
7575
| deviceCustomFloatingPoint1 | update version | observer.version | - |
7676
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
7777
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
78-
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
78+
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
7979
| email recipients number | - | checkpoint.email_recipients_num |
8080
| payload | network.bytes | - |
8181
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
@@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows:
9595
| update status | - | checkpoint.update_status |
9696
| peer gateway | - | checkpoint.peer_gateway |
9797
| categories | rule.category | - |
98-
.4+| deviceCustomString6 | application name | process.name | - |
98+
.4+| deviceCustomString6 | application name | network.application | - |
9999
| virus name | - | checkpoint.virus_name |
100-
| malware name | - | checkpoint.malware_name |
100+
| malware name | - | checkpoint.spyware_name |
101101
| malware family | - | checkpoint.malware_family |
102102
.5+| deviceCustomString3 | user group | group.name | - |
103103
| incident extension | - | checkpoint.incident_extension |
@@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows:
117117
| vlan id | network.vlan.id | - |
118118
| authentication method | - | checkpoint.auth_method |
119119
| email session id | - | checkpoint.email_session_id |
120-
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
120+
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
121121
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
122122
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
123123
| destination phone number | - | checkpoint.dst_phone_number |
124124
| flexString1 | application signature id | - | checkpoint.app_sig_id |
125-
.2+| flexString2 | malware action | event.action | - |
125+
.2+| flexString2 | malware action | rule.description | - |
126126
| attack information | event.action | - |
127127
| rule_uid | - | rule.uuid | - |
128-
| ifname | - | observer.ingress.interface.name | - |
128+
| ifname | - | observer.ingress.interface.name | - |
129129
| inzone | - | observer.ingress.zone | - |
130130
| outzone | - | observer.egress.zone | - |
131131
| product | - | observer.product | - |

x-pack/filebeat/module/cef/fields.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)