Skip to content

Commit 8165f14

Browse files
adriansradriansr
authored
CEF CheckPoint: adjust fields for forward compatibility (#17681) (#17712)
This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related #16907 #17682 (cherry picked from commit 4f6da4f)
1 parent aaccddb commit 8165f14

File tree

7 files changed

+118
-83
lines changed

7 files changed

+118
-83
lines changed

filebeat/docs/fields.asciidoc

Lines changed: 23 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -4894,7 +4894,7 @@ type: keyword
48944894
--
48954895
Confidence level determined.
48964896
4897-
type: keyword
4897+
type: integer
48984898
48994899
--
49004900
@@ -4988,15 +4988,6 @@ type: long
49884988
49894989
--
49904990
4991-
*`checkpoint.file_hash`*::
4992-
+
4993-
--
4994-
File hash (SHA1 or MD5).
4995-
4996-
type: keyword
4997-
4998-
--
4999-
50004991
*`checkpoint.frequency`*::
50014992
+
50024993
--
@@ -5051,6 +5042,15 @@ type: keyword
50515042
50525043
--
50535044
5045+
*`checkpoint.malware_family`*::
5046+
+
5047+
--
5048+
Malware family.
5049+
5050+
type: keyword
5051+
5052+
--
5053+
50545054
*`checkpoint.peer_gateway`*::
50555055
+
50565056
--
@@ -5065,7 +5065,7 @@ type: ip
50655065
--
50665066
Protection performance impact.
50675067
5068-
type: keyword
5068+
type: integer
50695069
50705070
--
50715071
@@ -5123,16 +5123,25 @@ type: keyword
51235123
51245124
--
51255125
5126-
*`checkpoint.malware_status`*::
5126+
*`checkpoint.spyware_name`*::
51275127
+
51285128
--
5129-
Malware status.
5129+
Spyware name.
51305130
51315131
type: keyword
51325132
51335133
--
51345134
5135-
*`checkpoint.subscription_expiration`*::
5135+
*`checkpoint.spyware_status`*::
5136+
+
5137+
--
5138+
Spyware status.
5139+
5140+
type: keyword
5141+
5142+
--
5143+
5144+
*`checkpoint.subs_exp`*::
51365145
+
51375146
--
51385147
The expiration date of the subscription.
@@ -5195,24 +5204,6 @@ type: keyword
51955204
51965205
--
51975206
5198-
*`checkpoint.malware_name`*::
5199-
+
5200-
--
5201-
Malware name.
5202-
5203-
type: keyword
5204-
5205-
--
5206-
5207-
*`checkpoint.malware_family`*::
5208-
+
5209-
--
5210-
Malware family.
5211-
5212-
type: keyword
5213-
5214-
--
5215-
52165207
*`checkpoint.voip_log_type`*::
52175208
+
52185209
--

filebeat/docs/modules/cef.asciidoc

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -70,17 +70,17 @@ Check Point CEF extensions are mapped as follows:
7070
| deviceInboundInterface | - | observer.ingress.interface.name | - |
7171
| deviceOutboundInterface | - | observer.egress.interface.name | - |
7272
| externalId | - | - | checkpoint.uuid |
73-
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
73+
| fileHash | - | file.hash.{md5,sha1} | - |
7474
| reason | - | - | checkpoint.termination_reason |
75-
| checkrequestCookies | - | - | checkpoint.cookie |
75+
| requestCookies | - | - | checkpoint.cookie |
7676
| sourceNtDomain | - | dns.question.name | - |
7777
| Signature | - | vulnerability.id | - |
7878
| Recipient | - | destination.user.email | - |
7979
| Sender | - | source.user.email | - |
8080
| deviceCustomFloatingPoint1 | update version | observer.version | - |
8181
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
8282
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
83-
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
83+
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
8484
| email recipients number | - | checkpoint.email_recipients_num |
8585
| payload | network.bytes | - |
8686
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
@@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows:
100100
| update status | - | checkpoint.update_status |
101101
| peer gateway | - | checkpoint.peer_gateway |
102102
| categories | rule.category | - |
103-
.4+| deviceCustomString6 | application name | process.name | - |
103+
.4+| deviceCustomString6 | application name | network.application | - |
104104
| virus name | - | checkpoint.virus_name |
105-
| malware name | - | checkpoint.malware_name |
105+
| malware name | - | checkpoint.spyware_name |
106106
| malware family | - | checkpoint.malware_family |
107107
.5+| deviceCustomString3 | user group | group.name | - |
108108
| incident extension | - | checkpoint.incident_extension |
@@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows:
122122
| vlan id | network.vlan.id | - |
123123
| authentication method | - | checkpoint.auth_method |
124124
| email session id | - | checkpoint.email_session_id |
125-
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
125+
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
126126
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
127127
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
128128
| destination phone number | - | checkpoint.dst_phone_number |
129129
| flexString1 | application signature id | - | checkpoint.app_sig_id |
130-
.2+| flexString2 | malware action | event.action | - |
130+
.2+| flexString2 | malware action | rule.description | - |
131131
| attack information | event.action | - |
132132
| rule_uid | - | rule.uuid | - |
133-
| ifname | - | observer.ingress.interface.name | - |
133+
| ifname | - | observer.ingress.interface.name | - |
134134
| inzone | - | observer.ingress.zone | - |
135135
| outzone | - | observer.egress.zone | - |
136136
| product | - | observer.product | - |

x-pack/filebeat/module/cef/_meta/docs.asciidoc

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -65,17 +65,17 @@ Check Point CEF extensions are mapped as follows:
6565
| deviceInboundInterface | - | observer.ingress.interface.name | - |
6666
| deviceOutboundInterface | - | observer.egress.interface.name | - |
6767
| externalId | - | - | checkpoint.uuid |
68-
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
68+
| fileHash | - | file.hash.{md5,sha1} | - |
6969
| reason | - | - | checkpoint.termination_reason |
70-
| checkrequestCookies | - | - | checkpoint.cookie |
70+
| requestCookies | - | - | checkpoint.cookie |
7171
| sourceNtDomain | - | dns.question.name | - |
7272
| Signature | - | vulnerability.id | - |
7373
| Recipient | - | destination.user.email | - |
7474
| Sender | - | source.user.email | - |
7575
| deviceCustomFloatingPoint1 | update version | observer.version | - |
7676
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
7777
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
78-
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
78+
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
7979
| email recipients number | - | checkpoint.email_recipients_num |
8080
| payload | network.bytes | - |
8181
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
@@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows:
9595
| update status | - | checkpoint.update_status |
9696
| peer gateway | - | checkpoint.peer_gateway |
9797
| categories | rule.category | - |
98-
.4+| deviceCustomString6 | application name | process.name | - |
98+
.4+| deviceCustomString6 | application name | network.application | - |
9999
| virus name | - | checkpoint.virus_name |
100-
| malware name | - | checkpoint.malware_name |
100+
| malware name | - | checkpoint.spyware_name |
101101
| malware family | - | checkpoint.malware_family |
102102
.5+| deviceCustomString3 | user group | group.name | - |
103103
| incident extension | - | checkpoint.incident_extension |
@@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows:
117117
| vlan id | network.vlan.id | - |
118118
| authentication method | - | checkpoint.auth_method |
119119
| email session id | - | checkpoint.email_session_id |
120-
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
120+
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
121121
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
122122
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
123123
| destination phone number | - | checkpoint.dst_phone_number |
124124
| flexString1 | application signature id | - | checkpoint.app_sig_id |
125-
.2+| flexString2 | malware action | event.action | - |
125+
.2+| flexString2 | malware action | rule.description | - |
126126
| attack information | event.action | - |
127127
| rule_uid | - | rule.uuid | - |
128-
| ifname | - | observer.ingress.interface.name | - |
128+
| ifname | - | observer.ingress.interface.name | - |
129129
| inzone | - | observer.ingress.zone | - |
130130
| outzone | - | observer.egress.zone | - |
131131
| product | - | observer.product | - |

x-pack/filebeat/module/cef/fields.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)