checkpoint: add handling of authentication operations

packages/checkpoint/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.0"
+  changes:
+    - description: Add handling of authentication events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3750
 - version: "1.6.1"
   changes:
     - description: Improve TCP, SSL config description and example.

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log

@@ -0,0 +1,2 @@
+<134>1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:"Failed Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}"; origin:"216.160.83.56"; originsicname:"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7"; sequencenum:"3"; time:"1657122788"; version:"5"; mac_address:"aa:aa:aa:aa:aa:aa"; product:"Connectra"]
+<134>1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:"Log In"; flags:"150784"; ifdir:"inbound"; logid:"131073"; loguid:"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}"; origin:"216.160.83.56"; originsicname:"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7"; sequencenum:"1"; time:"1657123705"; version:"5"; auth_method:"User Authentication (Active Directory)"; auth_status:"Successful Login"; client_name:"Active Directory Query"; client_version:"R80.30"; domain_name:"xxx.com"; endpoint_ip:"81.2.69.142"; identity_src:"AD Query"; identity_type:"user"; product:"Identity Awareness"; roles:"Remote_Access_AR"; snid:"ccaaffdd"; src:"81.2.69.192"; src_user_group:"Remote_Access_Users; Remote_Admins; All Users; AD_Users"; src_user_name:"usrTest (usrTest)"; user:"usrTest (usrTest)"]

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R80.X.log-expected.json

@@ -0,0 +1,114 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2022-07-06T15:53:08.000Z",
+            "checkpoint": {},
+            "ecs": {
+                "version": "8.3.0"
+            },
+            "event": {
+                "action": "logon-failed",
+                "category": [
+                    "network",
+                    "authentication"
+                ],
+                "id": "{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}",
+                "kind": "event",
+                "original": "\u003c134\u003e1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:\"Failed Log In\"; flags:\"18688\"; ifdir:\"inbound\"; loguid:\"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7\"; sequencenum:\"3\"; time:\"1657122788\"; version:\"5\"; mac_address:\"aa:aa:aa:aa:aa:aa\"; product:\"Connectra\"]",
+                "outcome": "failure",
+                "sequence": 3,
+                "type": [
+                    "denied"
+                ]
+            },
+            "network": {
+                "direction": "inbound"
+            },
+            "observer": {
+                "mac": "AA-AA-AA-AA-AA-AA",
+                "name": "216.160.83.56",
+                "product": "Connectra",
+                "type": "firewall",
+                "vendor": "Checkpoint"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2022-07-06T16:08:25.000Z",
+            "checkpoint": {
+                "auth_method": "User Authentication (Active Directory)",
+                "auth_status": "Successful Login",
+                "client_name": "Active Directory Query",
+                "client_version": "R80.30",
+                "identity_src": "AD Query",
+                "identity_type": "user",
+                "logid": "131073",
+                "roles": "Remote_Access_AR",
+                "snid": "ccaaffdd"
+            },
+            "dns": {
+                "question": {
+                    "name": "xxx.com"
+                }
+            },
+            "ecs": {
+                "version": "8.3.0"
+            },
+            "event": {
+                "action": "logged-in",
+                "category": [
+                    "network",
+                    "authentication"
+                ],
+                "id": "{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}",
+                "kind": "event",
+                "original": "\u003c134\u003e1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:\"Log In\"; flags:\"150784\"; ifdir:\"inbound\"; logid:\"131073\"; loguid:\"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}\"; origin:\"216.160.83.56\"; originsicname:\"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7\"; sequencenum:\"1\"; time:\"1657123705\"; version:\"5\"; auth_method:\"User Authentication (Active Directory)\"; auth_status:\"Successful Login\"; client_name:\"Active Directory Query\"; client_version:\"R80.30\"; domain_name:\"xxx.com\"; endpoint_ip:\"81.2.69.142\"; identity_src:\"AD Query\"; identity_type:\"user\"; product:\"Identity Awareness\"; roles:\"Remote_Access_AR\"; snid:\"ccaaffdd\"; src:\"81.2.69.192\"; src_user_group:\"Remote_Access_Users; Remote_Admins; All Users; AD_Users\"; src_user_name:\"usrTest (usrTest)\"; user:\"usrTest (usrTest)\"]",
+                "outcome": "success",
+                "sequence": 1,
+                "type": [
+                    "allowed"
+                ]
+            },
+            "network": {
+                "direction": "inbound"
+            },
+            "observer": {
+                "ip": "81.2.69.142",
+                "name": "216.160.83.56",
+                "product": "Identity Awareness",
+                "type": "firewall",
+                "vendor": "Checkpoint"
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.192"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.192",
+                "user": {
+                    "group": {
+                        "name": "Remote_Access_Users"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}

packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml

@@ -236,6 +236,34 @@ processors:
       field: event.category
       value: intrusion_detection
       if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+  - set:
+      field: event.outcome
+      value: success
+      if: ctx.checkpoint?.action == 'Log In'
+  - set:
+      field: event.outcome
+      value: failure
+      if: ctx.checkpoint?.action == 'Failed Log In'
+  - append:
+      field: event.category
+      value: authentication
+      if: "['Log In', 'Failed Log In'].contains(ctx.checkpoint?.action)"
+  - append:
+      field: event.type
+      value: allowed
+      if: ctx.checkpoint?.action == 'Log In'
+  - set:
+      field: checkpoint.action
+      value: logged-in
+      if: ctx.checkpoint?.action == 'Log In'
+  - append:
+      field: event.type
+      value: denied
+      if: ctx.checkpoint?.action == 'Failed Log In'
+  - set:
+      field: checkpoint.action
+      value: logon-failed
+      if: ctx.checkpoint?.action == 'Failed Log In'
   - append:
       field: related.ip
       value: "{{source.ip}}"
@@ -518,6 +546,18 @@ processors:
       field: checkpoint.origin
       target_field: observer.name
       ignore_missing: true
+  - rename:
+      field: checkpoint.mac_address
+      target_field: observer.mac
+      ignore_missing: true
+  - gsub:
+      field: observer.mac
+      ignore_missing: true
+      pattern: '[:]'
+      replacement: '-'
+  - uppercase:
+      field: observer.mac
+      ignore_missing: true
   - rename:
       field: checkpoint.origin_ip
       target_field: observer.ip

packages/checkpoint/data_stream/firewall/fields/ecs.yml

@@ -156,6 +156,8 @@
   name: observer.ingress.zone
 - external: ecs
   name: observer.ip
+- external: ecs
+  name: observer.mac
 - external: ecs
   name: observer.name
 - external: ecs

packages/checkpoint/data_stream/firewall/fields/fields.yml

@@ -99,6 +99,10 @@
       type: keyword
       description: |
         Password authentication protocol used (PAP or EAP).
+    - name: auth_status
+      type: keyword
+      description: |
+        The authentication status for an event.
     - name: authority_rdata
       type: keyword
       description: |
@@ -726,6 +730,14 @@
       type: integer
       description: |
         Override application ID.
+    - name: identity_src
+      type: keyword
+      description: |
+        The source for authentication identity information.
+    - name: identity_type
+      type: keyword
+      description: |
+        The type of identity used for authentication.
     - name: ike
       type: keyword
       description: |
@@ -1210,6 +1222,10 @@
       type: keyword
       description: |
         Risk level we got from the engine.
+    - name: roles
+      type: keyword
+      description: |
+        The role of identity.
     - name: rpc_prog
       type: integer
       description: |
@@ -1346,6 +1362,10 @@
       type: keyword
       description: |
         External Interface name for source interface or Null if not found.
+    - name: snid
+      type: keyword
+      description: |
+        The Check Point session ID.
     - name: source_object
       type: keyword
       description: |

packages/checkpoint/docs/README.md

@@ -115,6 +115,7 @@ An example event for `firewall` looks as following:
 | checkpoint.attack_status | In case of a malicious event on an endpoint computer, the status of the attack. | keyword |
 | checkpoint.audit_status | Audit Status. Can be Success or Failure. | keyword |
 | checkpoint.auth_method | Password authentication protocol used (PAP or EAP). | keyword |
+| checkpoint.auth_status | The authentication status for an event. | keyword |
 | checkpoint.authority_rdata | List of authoritative servers. | keyword |
 | checkpoint.authorization | Authorization HTTP header value. | keyword |
 | checkpoint.bcc | List of BCC addresses. | keyword |
@@ -273,6 +274,8 @@ An example event for `firewall` looks as following:
 | checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | long |
 | checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | long |
 | checkpoint.id | Override application ID. | integer |
+| checkpoint.identity_src | The source for authentication identity information. | keyword |
+| checkpoint.identity_type | The type of identity used for authentication. | keyword |
 | checkpoint.ike | IKEMode (PHASE1, PHASE2, etc..). | keyword |
 | checkpoint.ike_ids | All QM ids. | keyword |
 | checkpoint.impacted_files | In case of an infection on an endpoint computer, the list of files that the malware impacted. | keyword |
@@ -394,6 +397,7 @@ An example event for `firewall` looks as following:
 | checkpoint.remediated_files | In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. | keyword |
 | checkpoint.reply_status | ICAP reply status code, e.g. 200 or 204. | integer |
 | checkpoint.risk | Risk level we got from the engine. | keyword |
+| checkpoint.roles | The role of identity. | keyword |
 | checkpoint.rpc_prog | Log for new RPC state - prog values. | integer |
 | checkpoint.rule | Matched rule number. | integer |
 | checkpoint.rule_action | Action of the matched rule in the access policy. | keyword |
@@ -427,6 +431,7 @@ An example event for `firewall` looks as following:
 | checkpoint.similiar_iocs | Other IoCs similar to the ones found, related to the malicious file. | keyword |
 | checkpoint.sip_reason | Explains why 'source_ip' isn't allowed to redirect (handover). | keyword |
 | checkpoint.site_name | Site name. | keyword |
+| checkpoint.snid | The Check Point session ID. | keyword |
 | checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword |
 | checkpoint.source_object | Matched object name on source column. | keyword |
 | checkpoint.source_os | OS which generated the attack. | keyword |
@@ -616,6 +621,7 @@ An example event for `firewall` looks as following:
 | observer.ingress.interface.name | Interface name as reported by the system. | keyword |
 | observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
 | observer.ip | IP addresses of the observer. | ip |
+| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
 | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
 | observer.product | The product name of the observer. | keyword |
 | observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |

packages/checkpoint/manifest.yml

@@ -1,6 +1,6 @@
 name: checkpoint
 title: Check Point
-version: "1.6.1"
+version: "1.7.0"
 release: ga
 description: Collect logs from Check Point with Elastic Agent.
 type: integration