[Filebeat] Add CustomString mapping to CEF for Forcepoint NGFW (elastic#15910)

* Add CustomString mapping to CEF for Forcepoint NGFW

Closes elastic#14663

Author: leehinman

CHANGELOG.next.asciidoc

@@ -107,6 +107,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add dashboard for AWS ELB fileset. {pull}15804[15804]
 - Add dashboard for AWS vpcflow fileset. {pull}16007[16007]
 - Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936]
+- Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -4655,9 +4655,27 @@ type: keyword
 [[exported-fields-cef-module]]
 == CEF fields
 
-Module for receiving CEF logs over Syslog. The module does not add fields beyond what the decode_cef processor provides.
+Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides.
 
 
+
+[float]
+=== forcepoint
+
+Fields for Forcepoint Custom String mappings
+
+
+
+*`forcepoint.virus_id`*::
++
+--
+Virus ID
+
+
+type: keyword
+
+--
+
 [[exported-fields-cisco]]
 == Cisco fields
 

filebeat/docs/modules/cef.asciidoc

@@ -40,13 +40,27 @@ The UDP port to listen for syslog traffic. Defaults to `9003`
 
 NOTE: Ports below 1024 require Filebeat to run as root.
 
+[float]
+==== Forcepoint NGFW Security Management Center
+
+This module will process CEF data from Forcepoint NGFW Security
+Management Center (SMC).  In the SMC configure the logs to be
+forwarded to the address set in `var.syslog_host` in format CEF and
+service UDP on `var.syslog_port`.  Instructions can be found in
+https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for
+configuring the SMC.  Testing was done with CEF logs from SMC version
+6.6.1 and custom string mappings were taken from 'CEF Connector
+Configuration Guide' dated December 5, 2011.
+
+
 :has-dashboards!:
 
 :fileset_ex!:
 
 :modulename!:
 
 
+
 [float]
 === Fields
 

x-pack/filebeat/module/cef/_meta/docs.asciidoc

@@ -35,8 +35,22 @@ The UDP port to listen for syslog traffic. Defaults to `9003`
 
 NOTE: Ports below 1024 require Filebeat to run as root.
 
+[float]
+==== Forcepoint NGFW Security Management Center
+
+This module will process CEF data from Forcepoint NGFW Security
+Management Center (SMC).  In the SMC configure the logs to be
+forwarded to the address set in `var.syslog_host` in format CEF and
+service UDP on `var.syslog_port`.  Instructions can be found in
+https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for
+configuring the SMC.  Testing was done with CEF logs from SMC version
+6.6.1 and custom string mappings were taken from 'CEF Connector
+Configuration Guide' dated December 5, 2011.
+
+
 :has-dashboards!:
 
 :fileset_ex!:
 
 :modulename!:
+

x-pack/filebeat/module/cef/_meta/fields.yml

@@ -1,6 +1,7 @@
 - key: cef-module
   title: CEF
   description: >
-    Module for receiving CEF logs over Syslog. The module does not add fields
-    beyond what the decode_cef processor provides.
+    Module for receiving CEF logs over Syslog. The module adds vendor
+    specific fields in addition to the fields the decode_cef processor
+    provides.
   fields:

x-pack/filebeat/module/cef/fields.go

@@ -0,0 +1,10 @@
+- name: forcepoint
+  type: group
+  default_field: false
+  description: >
+    Fields for Forcepoint Custom String mappings
+  fields:
+    - name: virus_id
+      type: keyword
+      description: >
+        Virus ID

x-pack/filebeat/module/cef/log/_meta/fields.yml

@@ -0,0 +1,27 @@
+---
+description: Pipeline for Forcepoint CEF
+
+processors:
+  # cs1 is ruleID
+  - set:
+      field: rule.id
+      value: "{{cef.extensions.deviceCustomString1}}"
+      if: "ctx.cef?.extensions?.deviceCustomString1 != null"
+
+  # cs2 is natRuleID
+  - set:
+      field: rule.id
+      value: "{{cef.extensions.deviceCustomString2}}"
+      if: "ctx.cef?.extensions?.deviceCustomString2 != null"
+
+  # cs3 is VulnerabilityReference
+  - set:
+      field: vulnerability.reference
+      value: "{{cef.extensions.deviceCustomString3}}"
+      if: "ctx.cef?.extensions?.deviceCustomString3 != null"
+
+  # cs4 is virusID
+  - set:
+      field: cef.forcepoint.virus_id
+      value: "{{cef.extensions.deviceCustomString4}}"
+      if: "ctx.cef?.extensions?.deviceCustomString4 != null"            

x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml

@@ -45,7 +45,9 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
-
+  - pipeline:
+        name: '{< IngestPipeline "fp-pipeline" >}'
+        if: "ctx.cef?.device?.vendor == 'FORCEPOINT'"
 on_failure:
   - set:
         field: error.message

x-pack/filebeat/module/cef/log/ingest/pipeline.yml

@@ -13,7 +13,10 @@ var:
   - name: input
     default: syslog
 
-ingest_pipeline: ingest/pipeline.yml
+ingest_pipeline:
+  - ingest/pipeline.yml
+  - ingest/fp-pipeline.yml
+
 input: config/input.yml
 
 requires.processors: