Skip to content

CEF CheckPoint: adjust fields for forward compatibility #17681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Apr 14, 2020
Merged

CEF CheckPoint: adjust fields for forward compatibility #17681

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9ceb936
File.hash: Remove custom field, support sha256
adriansr Apr 2, 2020
111d1ed
Typo? field requestCookies
adriansr Apr 2, 2020
a5267b9
Adjust custom checkpoint fields
adriansr Apr 3, 2020
903930c
Replace malware_name with spyware_name
adriansr Apr 3, 2020
94c57c6
Map malware_action to rule.description
adriansr Apr 6, 2020
a25b7a3
Some more adjustments
adriansr Apr 13, 2020
c6e45f4
Update docs
adriansr Apr 13, 2020
5a64ee7
Missing docs changes
adriansr Apr 13, 2020
964572e
Change field type from long to integer
adriansr Apr 13, 2020
70d3c47
Allow field overwrite
adriansr Apr 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 23 additions & 32 deletions filebeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4895,7 +4895,7 @@ type: keyword
--
Confidence level determined.

type: keyword
type: integer
Copy link
Member

@andrewkroh andrewkroh Apr 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is is this already a number in the event produced by the beat? Looks like it should be since it comes from deviceFlexNumber1 which is a long from the cef processor.


--

Expand Down Expand Up @@ -4989,15 +4989,6 @@ type: long

--

*`checkpoint.file_hash`*::
+
--
File hash (SHA1 or MD5).

type: keyword

--

*`checkpoint.frequency`*::
+
--
Expand Down Expand Up @@ -5052,6 +5043,15 @@ type: keyword

--

*`checkpoint.malware_family`*::
+
--
Malware family.

type: keyword

--

*`checkpoint.peer_gateway`*::
+
--
Expand All @@ -5066,7 +5066,7 @@ type: ip
--
Protection performance impact.

type: keyword
type: long
Copy link
Member

@P1llus P1llus Apr 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This type can be set to integer


--

Expand Down Expand Up @@ -5124,16 +5124,25 @@ type: keyword

--

*`checkpoint.malware_status`*::
*`checkpoint.spyware_name`*::
+
--
Malware status.
Spyware name.

type: keyword

--

*`checkpoint.subscription_expiration`*::
*`checkpoint.spyware_status`*::
+
--
Spyware status.

type: keyword

--

*`checkpoint.subs_exp`*::
+
--
The expiration date of the subscription.
Expand Down Expand Up @@ -5196,24 +5205,6 @@ type: keyword

--

*`checkpoint.malware_name`*::
+
--
Malware name.

type: keyword

--

*`checkpoint.malware_family`*::
+
--
Malware family.

type: keyword

--

*`checkpoint.voip_log_type`*::
+
--
Expand Down
16 changes: 8 additions & 8 deletions filebeat/docs/modules/cef.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,17 +70,17 @@ Check Point CEF extensions are mapped as follows:
| deviceInboundInterface | - | observer.ingress.interface.name | - |
| deviceOutboundInterface | - | observer.egress.interface.name | - |
| externalId | - | - | checkpoint.uuid |
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
| fileHash | - | file.hash.{md5,sha1} | - |
| reason | - | - | checkpoint.termination_reason |
| checkrequestCookies | - | - | checkpoint.cookie |
| requestCookies | - | - | checkpoint.cookie |
| sourceNtDomain | - | dns.question.name | - |
| Signature | - | vulnerability.id | - |
| Recipient | - | destination.user.email | - |
| Sender | - | source.user.email | - |
| deviceCustomFloatingPoint1 | update version | observer.version | - |
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
| email recipients number | - | checkpoint.email_recipients_num |
| payload | network.bytes | - |
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
Expand All @@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows:
| update status | - | checkpoint.update_status |
| peer gateway | - | checkpoint.peer_gateway |
| categories | rule.category | - |
.4+| deviceCustomString6 | application name | process.name | - |
.4+| deviceCustomString6 | application name | network.application | - |
| virus name | - | checkpoint.virus_name |
| malware name | - | checkpoint.malware_name |
| malware name | - | checkpoint.spyware_name |
| malware family | - | checkpoint.malware_family |
.5+| deviceCustomString3 | user group | group.name | - |
| incident extension | - | checkpoint.incident_extension |
Expand All @@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows:
| vlan id | network.vlan.id | - |
| authentication method | - | checkpoint.auth_method |
| email session id | - | checkpoint.email_session_id |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
| destination phone number | - | checkpoint.dst_phone_number |
| flexString1 | application signature id | - | checkpoint.app_sig_id |
.2+| flexString2 | malware action | event.action | - |
.2+| flexString2 | malware action | rule.description | - |
| attack information | event.action | - |
| rule_uid | - | rule.uuid | - |
| ifname | - | observer.ingress.interface.name | - |
| ifname | - | observer.ingress.interface.name | - |
| inzone | - | observer.ingress.zone | - |
| outzone | - | observer.egress.zone | - |
| product | - | observer.product | - |
Expand Down
16 changes: 8 additions & 8 deletions x-pack/filebeat/module/cef/_meta/docs.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,17 +65,17 @@ Check Point CEF extensions are mapped as follows:
| deviceInboundInterface | - | observer.ingress.interface.name | - |
| deviceOutboundInterface | - | observer.egress.interface.name | - |
| externalId | - | - | checkpoint.uuid |
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
| fileHash | - | file.hash.{md5,sha1} | - |
| reason | - | - | checkpoint.termination_reason |
| checkrequestCookies | - | - | checkpoint.cookie |
| requestCookies | - | - | checkpoint.cookie |
| sourceNtDomain | - | dns.question.name | - |
| Signature | - | vulnerability.id | - |
| Recipient | - | destination.user.email | - |
| Sender | - | source.user.email | - |
| deviceCustomFloatingPoint1 | update version | observer.version | - |
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
| email recipients number | - | checkpoint.email_recipients_num |
| payload | network.bytes | - |
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
Expand All @@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows:
| update status | - | checkpoint.update_status |
| peer gateway | - | checkpoint.peer_gateway |
| categories | rule.category | - |
.4+| deviceCustomString6 | application name | process.name | - |
.4+| deviceCustomString6 | application name | network.application | - |
| virus name | - | checkpoint.virus_name |
| malware name | - | checkpoint.malware_name |
| malware name | - | checkpoint.spyware_name |
| malware family | - | checkpoint.malware_family |
.5+| deviceCustomString3 | user group | group.name | - |
| incident extension | - | checkpoint.incident_extension |
Expand All @@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows:
| vlan id | network.vlan.id | - |
| authentication method | - | checkpoint.auth_method |
| email session id | - | checkpoint.email_session_id |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
| destination phone number | - | checkpoint.dst_phone_number |
| flexString1 | application signature id | - | checkpoint.app_sig_id |
.2+| flexString2 | malware action | event.action | - |
.2+| flexString2 | malware action | rule.description | - |
| attack information | event.action | - |
| rule_uid | - | rule.uuid | - |
| ifname | - | observer.ingress.interface.name | - |
| ifname | - | observer.ingress.interface.name | - |
| inzone | - | observer.ingress.zone | - |
| outzone | - | observer.egress.zone | - |
| product | - | observer.product | - |
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cef/fields.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 13 additions & 17 deletions x-pack/filebeat/module/cef/log/_meta/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
description: Category.

- name: confidence_level
type: keyword
type: integer
description: Confidence level determined.

- name: connectivity_state
Expand Down Expand Up @@ -80,10 +80,6 @@
type: long
description: Number of events associated with the log.

- name: file_hash
type: keyword
description: File hash (SHA1 or MD5).

- name: frequency
type: keyword
description: Scan frequency.
Expand All @@ -108,12 +104,16 @@
type: keyword
description: Scan invoke type.

- name: malware_family
type: keyword
description: Malware family.

- name: peer_gateway
type: ip
description: Main IP of the peer Security Gateway.

- name: performance_impact
type: keyword
type: long
description: Protection performance impact.

- name: protection_id
Expand All @@ -140,11 +140,15 @@
type: keyword
description: Threat severity.

- name: malware_status
- name: spyware_name
type: keyword
description: Malware status.
description: Spyware name.

- name: subscription_expiration
- name: spyware_status
type: keyword
description: Spyware status.

- name: subs_exp
type: date
description: The expiration date of the subscription.

Expand Down Expand Up @@ -172,14 +176,6 @@
type: keyword
description: Virus name.

- name: malware_name
type: keyword
description: Malware name.

- name: malware_family
type: keyword
description: Malware family.

- name: voip_log_type
type: keyword
description: VoIP log types.
Expand Down
Loading