From e9cd11c2554c0ae030ef4622727513acf5c1db7e Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 19 Jul 2022 17:43:41 +0930 Subject: [PATCH 1/3] checkpoint: add handling of authentication operations --- packages/checkpoint/changelog.yml | 5 + .../_dev/test/pipeline/test-checkpoint.log | 2 + .../test-checkpoint.log-expected.json | 110 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 36 ++++++ .../data_stream/firewall/fields/ecs.yml | 2 + .../data_stream/firewall/fields/fields.yml | 20 ++++ packages/checkpoint/docs/README.md | 6 + packages/checkpoint/manifest.yml | 2 +- 8 files changed, 182 insertions(+), 1 deletion(-) diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 17892c887a9..5f3a85c24a3 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.7.0" + changes: + - description: Add handling of authentication events. + type: enhancement + link: https://github.com/elastic/integrations/pull/3750 - version: "1.6.1" changes: - description: Improve TCP, SSL config description and example. diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log index e659322e65b..c3817dd615d 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log @@ -19,3 +19,5 @@ <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"] <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"] <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] +<134>1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:"Failed Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}"; origin:"216.160.83.56"; originsicname:"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7"; sequencenum:"3"; time:"1657122788"; version:"5"; mac_address:"aa:aa:aa:aa:aa:aa"; product:"Connectra"] +<134>1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:"Log In"; flags:"150784"; ifdir:"inbound"; logid:"131073"; loguid:"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}"; origin:"216.160.83.56"; originsicname:"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7"; sequencenum:"1"; time:"1657123705"; version:"5"; auth_method:"User Authentication (Active Directory)"; auth_status:"Successful Login"; client_name:"Active Directory Query"; client_version:"R80.30"; domain_name:"xxx.com"; endpoint_ip:"81.2.69.142"; identity_src:"AD Query"; identity_type:"user"; product:"Identity Awareness"; roles:"Remote_Access_AR"; snid:"ccaaffdd"; src:"81.2.69.192"; src_user_group:"Remote_Access_Users; Remote_Admins; All Users; AD_Users"; src_user_name:"usrTest (usrTest)"; user:"usrTest (usrTest)"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json index f7a9fb25eb6..8205ae197b6 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -1254,6 +1254,116 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2022-07-06T15:53:08.000Z", + "checkpoint": {}, + "ecs": { + "version": "8.3.0" + }, + "event": { + "action": "logon-failed", + "category": [ + "network", + "authentication" + ], + "id": "{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}", + "kind": "event", + "original": "\u003c134\u003e1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:\"Failed Log In\"; flags:\"18688\"; ifdir:\"inbound\"; loguid:\"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7\"; sequencenum:\"3\"; time:\"1657122788\"; version:\"5\"; mac_address:\"aa:aa:aa:aa:aa:aa\"; product:\"Connectra\"]", + "outcome": "success", + "sequence": 3, + "type": [ + "denied" + ] + }, + "network": { + "direction": "inbound" + }, + "observer": { + "mac": "AA-AA-AA-AA-AA-AA", + "name": "216.160.83.56", + "product": "Connectra", + "type": "firewall", + "vendor": "Checkpoint" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-07-06T16:08:25.000Z", + "checkpoint": { + "auth_method": "User Authentication (Active Directory)", + "auth_status": "Successful Login", + "client_name": "Active Directory Query", + "client_version": "R80.30", + "identity_src": "AD Query", + "identity_type": "user", + "logid": "131073", + "roles": "Remote_Access_AR", + "snid": "ccaaffdd" + }, + "dns": { + "question": { + "name": "xxx.com" + } + }, + "ecs": { + "version": "8.3.0" + }, + "event": { + "action": "logged-in", + "category": [ + "network", + "authentication" + ], + "id": "{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}", + "kind": "event", + "original": "\u003c134\u003e1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:\"Log In\"; flags:\"150784\"; ifdir:\"inbound\"; logid:\"131073\"; loguid:\"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7\"; sequencenum:\"1\"; time:\"1657123705\"; version:\"5\"; auth_method:\"User Authentication (Active Directory)\"; auth_status:\"Successful Login\"; client_name:\"Active Directory Query\"; client_version:\"R80.30\"; domain_name:\"xxx.com\"; endpoint_ip:\"81.2.69.142\"; identity_src:\"AD Query\"; identity_type:\"user\"; product:\"Identity Awareness\"; roles:\"Remote_Access_AR\"; snid:\"ccaaffdd\"; src:\"81.2.69.192\"; src_user_group:\"Remote_Access_Users; Remote_Admins; All Users; AD_Users\"; src_user_name:\"usrTest (usrTest)\"; user:\"usrTest (usrTest)\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed" + ] + }, + "network": { + "direction": "inbound" + }, + "observer": { + "ip": "81.2.69.142", + "name": "216.160.83.56", + "product": "Identity Awareness", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "81.2.69.192" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.192", + "user": { + "group": { + "name": "Remote_Access_Users" + } + } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 3f86b7bf3b5..113b9730864 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -236,6 +236,30 @@ processors: field: event.category value: intrusion_detection if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)" + - set: + field: event.outcome + value: success + if: "['Log In', 'Failed Log In'].contains(ctx.checkpoint?.action)" + - append: + field: event.category + value: authentication + if: "['Log In', 'Failed Log In'].contains(ctx.checkpoint?.action)" + - append: + field: event.type + value: allowed + if: ctx.checkpoint?.action == 'Log In' + - set: + field: checkpoint.action + value: logged-in + if: ctx.checkpoint?.action == 'Log In' + - append: + field: event.type + value: denied + if: ctx.checkpoint?.action == 'Failed Log In' + - set: + field: checkpoint.action + value: logon-failed + if: ctx.checkpoint?.action == 'Failed Log In' - append: field: related.ip value: "{{source.ip}}" @@ -518,6 +542,18 @@ processors: field: checkpoint.origin target_field: observer.name ignore_missing: true + - rename: + field: checkpoint.mac_address + target_field: observer.mac + ignore_missing: true + - gsub: + field: observer.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - uppercase: + field: observer.mac + ignore_missing: true - rename: field: checkpoint.origin_ip target_field: observer.ip diff --git a/packages/checkpoint/data_stream/firewall/fields/ecs.yml b/packages/checkpoint/data_stream/firewall/fields/ecs.yml index e221630afd4..8c652bd78f2 100644 --- a/packages/checkpoint/data_stream/firewall/fields/ecs.yml +++ b/packages/checkpoint/data_stream/firewall/fields/ecs.yml @@ -156,6 +156,8 @@ name: observer.ingress.zone - external: ecs name: observer.ip +- external: ecs + name: observer.mac - external: ecs name: observer.name - external: ecs diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index a389420a0c4..f2822fa823b 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -99,6 +99,10 @@ type: keyword description: | Password authentication protocol used (PAP or EAP). + - name: auth_status + type: keyword + description: | + The authentication status for an event. - name: authority_rdata type: keyword description: | @@ -726,6 +730,14 @@ type: integer description: | Override application ID. + - name: identity_src + type: keyword + description: | + The source for authentication identity information. + - name: identity_type + type: keyword + description: | + The type of identity used for authentication. - name: ike type: keyword description: | @@ -1210,6 +1222,10 @@ type: keyword description: | Risk level we got from the engine. + - name: roles + type: keyword + description: | + The role of identity. - name: rpc_prog type: integer description: | @@ -1346,6 +1362,10 @@ type: keyword description: | External Interface name for source interface or Null if not found. + - name: snid + type: keyword + description: | + The Check Point session ID. - name: source_object type: keyword description: | diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 90da29a2473..c0de8faf5e1 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -115,6 +115,7 @@ An example event for `firewall` looks as following: | checkpoint.attack_status | In case of a malicious event on an endpoint computer, the status of the attack. | keyword | | checkpoint.audit_status | Audit Status. Can be Success or Failure. | keyword | | checkpoint.auth_method | Password authentication protocol used (PAP or EAP). | keyword | +| checkpoint.auth_status | The authentication status for an event. | keyword | | checkpoint.authority_rdata | List of authoritative servers. | keyword | | checkpoint.authorization | Authorization HTTP header value. | keyword | | checkpoint.bcc | List of BCC addresses. | keyword | @@ -273,6 +274,8 @@ An example event for `firewall` looks as following: | checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | long | | checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | long | | checkpoint.id | Override application ID. | integer | +| checkpoint.identity_src | The source for authentication identity information. | keyword | +| checkpoint.identity_type | The type of identity used for authentication. | keyword | | checkpoint.ike | IKEMode (PHASE1, PHASE2, etc..). | keyword | | checkpoint.ike_ids | All QM ids. | keyword | | checkpoint.impacted_files | In case of an infection on an endpoint computer, the list of files that the malware impacted. | keyword | @@ -394,6 +397,7 @@ An example event for `firewall` looks as following: | checkpoint.remediated_files | In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. | keyword | | checkpoint.reply_status | ICAP reply status code, e.g. 200 or 204. | integer | | checkpoint.risk | Risk level we got from the engine. | keyword | +| checkpoint.roles | The role of identity. | keyword | | checkpoint.rpc_prog | Log for new RPC state - prog values. | integer | | checkpoint.rule | Matched rule number. | integer | | checkpoint.rule_action | Action of the matched rule in the access policy. | keyword | @@ -427,6 +431,7 @@ An example event for `firewall` looks as following: | checkpoint.similiar_iocs | Other IoCs similar to the ones found, related to the malicious file. | keyword | | checkpoint.sip_reason | Explains why 'source_ip' isn't allowed to redirect (handover). | keyword | | checkpoint.site_name | Site name. | keyword | +| checkpoint.snid | The Check Point session ID. | keyword | | checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword | | checkpoint.source_object | Matched object name on source column. | keyword | | checkpoint.source_os | OS which generated the attack. | keyword | @@ -616,6 +621,7 @@ An example event for `firewall` looks as following: | observer.ingress.interface.name | Interface name as reported by the system. | keyword | | observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | | observer.product | The product name of the observer. | keyword | | observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 5d5c22c7700..5b53eb7dd6b 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: "1.6.1" +version: "1.7.0" release: ga description: Collect logs from Check Point with Elastic Agent. type: integration From f090feed0e08be1413df9a7010c2b73bc4c7d0ce Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 20 Jul 2022 21:36:18 +0930 Subject: [PATCH 2/3] change outcome semantics --- .../_dev/test/pipeline/test-checkpoint.log-expected.json | 2 +- .../firewall/elasticsearch/ingest_pipeline/default.yml | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json index 8205ae197b6..7ff2562fa3f 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -1270,7 +1270,7 @@ "id": "{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}", "kind": "event", "original": "\u003c134\u003e1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:\"Failed Log In\"; flags:\"18688\"; ifdir:\"inbound\"; loguid:\"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7\"; sequencenum:\"3\"; time:\"1657122788\"; version:\"5\"; mac_address:\"aa:aa:aa:aa:aa:aa\"; product:\"Connectra\"]", - "outcome": "success", + "outcome": "failure", "sequence": 3, "type": [ "denied" diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 113b9730864..17fd78cf00e 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -239,7 +239,11 @@ processors: - set: field: event.outcome value: success - if: "['Log In', 'Failed Log In'].contains(ctx.checkpoint?.action)" + if: ctx.checkpoint?.action == 'Log In' + - set: + field: event.outcome + value: failure + if: ctx.checkpoint?.action == 'Failed Log In' - append: field: event.category value: authentication From eef9461bf47c9cb028fb5cae1b4b5204a24e93b2 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 20 Jul 2022 21:40:12 +0930 Subject: [PATCH 3/3] separate R80.[34]0 tests into their own file --- .../_dev/test/pipeline/test-R80.X.log | 2 + .../pipeline/test-R80.X.log-expected.json | 114 ++++++++++++++++++ .../_dev/test/pipeline/test-checkpoint.log | 2 - .../test-checkpoint.log-expected.json | 110 ----------------- 4 files changed, 116 insertions(+), 112 deletions(-) create mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log create mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log-expected.json diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log new file mode 100644 index 00000000000..892946f6927 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log @@ -0,0 +1,2 @@ +<134>1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:"Failed Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}"; origin:"216.160.83.56"; originsicname:"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7"; sequencenum:"3"; time:"1657122788"; version:"5"; mac_address:"aa:aa:aa:aa:aa:aa"; product:"Connectra"] +<134>1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:"Log In"; flags:"150784"; ifdir:"inbound"; logid:"131073"; loguid:"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}"; origin:"216.160.83.56"; originsicname:"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7"; sequencenum:"1"; time:"1657123705"; version:"5"; auth_method:"User Authentication (Active Directory)"; auth_status:"Successful Login"; client_name:"Active Directory Query"; client_version:"R80.30"; domain_name:"xxx.com"; endpoint_ip:"81.2.69.142"; identity_src:"AD Query"; identity_type:"user"; product:"Identity Awareness"; roles:"Remote_Access_AR"; snid:"ccaaffdd"; src:"81.2.69.192"; src_user_group:"Remote_Access_Users; Remote_Admins; All Users; AD_Users"; src_user_name:"usrTest (usrTest)"; user:"usrTest (usrTest)"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log-expected.json new file mode 100644 index 00000000000..ac7b8506a6d --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log-expected.json @@ -0,0 +1,114 @@ +{ + "expected": [ + { + "@timestamp": "2022-07-06T15:53:08.000Z", + "checkpoint": {}, + "ecs": { + "version": "8.3.0" + }, + "event": { + "action": "logon-failed", + "category": [ + "network", + "authentication" + ], + "id": "{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}", + "kind": "event", + "original": "\u003c134\u003e1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:\"Failed Log In\"; flags:\"18688\"; ifdir:\"inbound\"; loguid:\"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7\"; sequencenum:\"3\"; time:\"1657122788\"; version:\"5\"; mac_address:\"aa:aa:aa:aa:aa:aa\"; product:\"Connectra\"]", + "outcome": "failure", + "sequence": 3, + "type": [ + "denied" + ] + }, + "network": { + "direction": "inbound" + }, + "observer": { + "mac": "AA-AA-AA-AA-AA-AA", + "name": "216.160.83.56", + "product": "Connectra", + "type": "firewall", + "vendor": "Checkpoint" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-07-06T16:08:25.000Z", + "checkpoint": { + "auth_method": "User Authentication (Active Directory)", + "auth_status": "Successful Login", + "client_name": "Active Directory Query", + "client_version": "R80.30", + "identity_src": "AD Query", + "identity_type": "user", + "logid": "131073", + "roles": "Remote_Access_AR", + "snid": "ccaaffdd" + }, + "dns": { + "question": { + "name": "xxx.com" + } + }, + "ecs": { + "version": "8.3.0" + }, + "event": { + "action": "logged-in", + "category": [ + "network", + "authentication" + ], + "id": "{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}", + "kind": "event", + "original": "\u003c134\u003e1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:\"Log In\"; flags:\"150784\"; ifdir:\"inbound\"; logid:\"131073\"; loguid:\"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7\"; sequencenum:\"1\"; time:\"1657123705\"; version:\"5\"; auth_method:\"User Authentication (Active Directory)\"; auth_status:\"Successful Login\"; client_name:\"Active Directory Query\"; client_version:\"R80.30\"; domain_name:\"xxx.com\"; endpoint_ip:\"81.2.69.142\"; identity_src:\"AD Query\"; identity_type:\"user\"; product:\"Identity Awareness\"; roles:\"Remote_Access_AR\"; snid:\"ccaaffdd\"; src:\"81.2.69.192\"; src_user_group:\"Remote_Access_Users; Remote_Admins; All Users; AD_Users\"; src_user_name:\"usrTest (usrTest)\"; user:\"usrTest (usrTest)\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed" + ] + }, + "network": { + "direction": "inbound" + }, + "observer": { + "ip": "81.2.69.142", + "name": "216.160.83.56", + "product": "Identity Awareness", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "81.2.69.192" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.192", + "user": { + "group": { + "name": "Remote_Access_Users" + } + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log index c3817dd615d..e659322e65b 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log @@ -19,5 +19,3 @@ <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"] <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"] <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] -<134>1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:"Failed Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}"; origin:"216.160.83.56"; originsicname:"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7"; sequencenum:"3"; time:"1657122788"; version:"5"; mac_address:"aa:aa:aa:aa:aa:aa"; product:"Connectra"] -<134>1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:"Log In"; flags:"150784"; ifdir:"inbound"; logid:"131073"; loguid:"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}"; origin:"216.160.83.56"; originsicname:"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7"; sequencenum:"1"; time:"1657123705"; version:"5"; auth_method:"User Authentication (Active Directory)"; auth_status:"Successful Login"; client_name:"Active Directory Query"; client_version:"R80.30"; domain_name:"xxx.com"; endpoint_ip:"81.2.69.142"; identity_src:"AD Query"; identity_type:"user"; product:"Identity Awareness"; roles:"Remote_Access_AR"; snid:"ccaaffdd"; src:"81.2.69.192"; src_user_group:"Remote_Access_Users; Remote_Admins; All Users; AD_Users"; src_user_name:"usrTest (usrTest)"; user:"usrTest (usrTest)"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json index 7ff2562fa3f..f7a9fb25eb6 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -1254,116 +1254,6 @@ "tags": [ "preserve_original_event" ] - }, - { - "@timestamp": "2022-07-06T15:53:08.000Z", - "checkpoint": {}, - "ecs": { - "version": "8.3.0" - }, - "event": { - "action": "logon-failed", - "category": [ - "network", - "authentication" - ], - "id": "{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}", - "kind": "event", - "original": "\u003c134\u003e1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:\"Failed Log In\"; flags:\"18688\"; ifdir:\"inbound\"; loguid:\"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7\"; sequencenum:\"3\"; time:\"1657122788\"; version:\"5\"; mac_address:\"aa:aa:aa:aa:aa:aa\"; product:\"Connectra\"]", - "outcome": "failure", - "sequence": 3, - "type": [ - "denied" - ] - }, - "network": { - "direction": "inbound" - }, - "observer": { - "mac": "AA-AA-AA-AA-AA-AA", - "name": "216.160.83.56", - "product": "Connectra", - "type": "firewall", - "vendor": "Checkpoint" - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "@timestamp": "2022-07-06T16:08:25.000Z", - "checkpoint": { - "auth_method": "User Authentication (Active Directory)", - "auth_status": "Successful Login", - "client_name": "Active Directory Query", - "client_version": "R80.30", - "identity_src": "AD Query", - "identity_type": "user", - "logid": "131073", - "roles": "Remote_Access_AR", - "snid": "ccaaffdd" - }, - "dns": { - "question": { - "name": "xxx.com" - } - }, - "ecs": { - "version": "8.3.0" - }, - "event": { - "action": "logged-in", - "category": [ - "network", - "authentication" - ], - "id": "{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}", - "kind": "event", - "original": "\u003c134\u003e1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:\"Log In\"; flags:\"150784\"; ifdir:\"inbound\"; logid:\"131073\"; loguid:\"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7\"; sequencenum:\"1\"; time:\"1657123705\"; version:\"5\"; auth_method:\"User Authentication (Active Directory)\"; auth_status:\"Successful Login\"; client_name:\"Active Directory Query\"; client_version:\"R80.30\"; domain_name:\"xxx.com\"; endpoint_ip:\"81.2.69.142\"; identity_src:\"AD Query\"; identity_type:\"user\"; product:\"Identity Awareness\"; roles:\"Remote_Access_AR\"; snid:\"ccaaffdd\"; src:\"81.2.69.192\"; src_user_group:\"Remote_Access_Users; Remote_Admins; All Users; AD_Users\"; src_user_name:\"usrTest (usrTest)\"; user:\"usrTest (usrTest)\"]", - "outcome": "success", - "sequence": 1, - "type": [ - "allowed" - ] - }, - "network": { - "direction": "inbound" - }, - "observer": { - "ip": "81.2.69.142", - "name": "216.160.83.56", - "product": "Identity Awareness", - "type": "firewall", - "vendor": "Checkpoint" - }, - "related": { - "ip": [ - "81.2.69.192" - ] - }, - "source": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.192", - "user": { - "group": { - "name": "Remote_Access_Users" - } - } - }, - "tags": [ - "preserve_original_event" - ] } ] } \ No newline at end of file