diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index fa7bdb0aab24..6c0fac860bf5 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -4895,7 +4895,7 @@ type: keyword -- Confidence level determined. -type: keyword +type: integer -- @@ -4989,15 +4989,6 @@ type: long -- -*`checkpoint.file_hash`*:: -+ --- -File hash (SHA1 or MD5). - -type: keyword - --- - *`checkpoint.frequency`*:: + -- @@ -5052,6 +5043,15 @@ type: keyword -- +*`checkpoint.malware_family`*:: ++ +-- +Malware family. + +type: keyword + +-- + *`checkpoint.peer_gateway`*:: + -- @@ -5066,7 +5066,7 @@ type: ip -- Protection performance impact. -type: keyword +type: integer -- @@ -5124,16 +5124,25 @@ type: keyword -- -*`checkpoint.malware_status`*:: +*`checkpoint.spyware_name`*:: + -- -Malware status. +Spyware name. type: keyword -- -*`checkpoint.subscription_expiration`*:: +*`checkpoint.spyware_status`*:: ++ +-- +Spyware status. + +type: keyword + +-- + +*`checkpoint.subs_exp`*:: + -- The expiration date of the subscription. @@ -5196,24 +5205,6 @@ type: keyword -- -*`checkpoint.malware_name`*:: -+ --- -Malware name. - -type: keyword - --- - -*`checkpoint.malware_family`*:: -+ --- -Malware family. - -type: keyword - --- - *`checkpoint.voip_log_type`*:: + -- diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index bb5b77dee42e..38ac4e4cd5b0 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -70,9 +70,9 @@ Check Point CEF extensions are mapped as follows: | deviceInboundInterface | - | observer.ingress.interface.name | - | | deviceOutboundInterface | - | observer.egress.interface.name | - | | externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash | +| fileHash | - | file.hash.{md5,sha1} | - | | reason | - | - | checkpoint.termination_reason | -| checkrequestCookies | - | - | checkpoint.cookie | +| requestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | | Signature | - | vulnerability.id | - | | Recipient | - | destination.user.email | - | @@ -80,7 +80,7 @@ Check Point CEF extensions are mapped as follows: | deviceCustomFloatingPoint1 | update version | observer.version | - | | deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | | deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - | +.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | | email recipients number | - | checkpoint.email_recipients_num | | payload | network.bytes | - | .2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | @@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows: | update status | - | checkpoint.update_status | | peer gateway | - | checkpoint.peer_gateway | | categories | rule.category | - | -.4+| deviceCustomString6 | application name | process.name | - | +.4+| deviceCustomString6 | application name | network.application | - | | virus name | - | checkpoint.virus_name | - | malware name | - | checkpoint.malware_name | + | malware name | - | checkpoint.spyware_name | | malware family | - | checkpoint.malware_family | .5+| deviceCustomString3 | user group | group.name | - | | incident extension | - | checkpoint.incident_extension | @@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows: | vlan id | network.vlan.id | - | | authentication method | - | checkpoint.auth_method | | email session id | - | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | | deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | .2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | | destination phone number | - | checkpoint.dst_phone_number | | flexString1 | application signature id | - | checkpoint.app_sig_id | -.2+| flexString2 | malware action | event.action | - | +.2+| flexString2 | malware action | rule.description | - | | attack information | event.action | - | | rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | +| ifname | - | observer.ingress.interface.name | - | | inzone | - | observer.ingress.zone | - | | outzone | - | observer.egress.zone | - | | product | - | observer.product | - | diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index d3f97e011dd9..00d2ab1e7914 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -65,9 +65,9 @@ Check Point CEF extensions are mapped as follows: | deviceInboundInterface | - | observer.ingress.interface.name | - | | deviceOutboundInterface | - | observer.egress.interface.name | - | | externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash | +| fileHash | - | file.hash.{md5,sha1} | - | | reason | - | - | checkpoint.termination_reason | -| checkrequestCookies | - | - | checkpoint.cookie | +| requestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | | Signature | - | vulnerability.id | - | | Recipient | - | destination.user.email | - | @@ -75,7 +75,7 @@ Check Point CEF extensions are mapped as follows: | deviceCustomFloatingPoint1 | update version | observer.version | - | | deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | | deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - | +.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | | email recipients number | - | checkpoint.email_recipients_num | | payload | network.bytes | - | .2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | @@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows: | update status | - | checkpoint.update_status | | peer gateway | - | checkpoint.peer_gateway | | categories | rule.category | - | -.4+| deviceCustomString6 | application name | process.name | - | +.4+| deviceCustomString6 | application name | network.application | - | | virus name | - | checkpoint.virus_name | - | malware name | - | checkpoint.malware_name | + | malware name | - | checkpoint.spyware_name | | malware family | - | checkpoint.malware_family | .5+| deviceCustomString3 | user group | group.name | - | | incident extension | - | checkpoint.incident_extension | @@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows: | vlan id | network.vlan.id | - | | authentication method | - | checkpoint.auth_method | | email session id | - | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | | deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | .2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | | destination phone number | - | checkpoint.dst_phone_number | | flexString1 | application signature id | - | checkpoint.app_sig_id | -.2+| flexString2 | malware action | event.action | - | +.2+| flexString2 | malware action | rule.description | - | | attack information | event.action | - | | rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | +| ifname | - | observer.ingress.interface.name | - | | inzone | - | observer.ingress.zone | - | | outzone | - | observer.egress.zone | - | | product | - | observer.product | - | diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index 217d805818d1..5e33a41c840d 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJy8mctu7DYPx/d5Ci6/b5EAXXQziwIHubSDIsUASc9WUGTaw44sqhLtZPr0heS5nWQSOXbQWQW29fuTFCWRyiVscLsAg/Vly1Vn8QJASCwu4Pr27gKgwmgCeSF2C/jlAgDgPn8INQcIaJB6ck36Giw3EbjHAA/baLm5gsc1wsAFXVURenQVh0yJHg3VZKAmtFUEcukTSkIgDLLG/Zv0Z4WGK1QGa/CBDca4w/jAPVUYry5g9/0iP0+/S3C6xUWy1KBncnJ4BSBbjwtoAnf+5GmFte6sqIxaQK1txB9ev4nG/nc3GJuicnfQg+suCrfwICEFqdXek2viycDXNp/a3VPooqLqh5d7yze4febw+t0HBqbf90SE5c3hxds/9uJmjWbzHwbtOunBKkfNDFGLP0btamTYtPcqUNxMDds37y0ZnTMxca7eBum1XMQeA8n2KyRlHVAL7JFj1KmZkSVpjUZqnJYuICxv4HlNZp1XnT4x61lHqFDQCFbwVDSrk7VqUdY82a6VjjF9k1noZG+IDyxs2EIXsSqYYbRgw2HyvFzvxpdk2NVUoTOoLPZoJ8sdOJA5OeChJVd2lJ1DI9STbFUULTjDhgMJMqkozRuaLLf8/XZHKMhUUZRfs0PluvYJw1TBG4xCbkil5epylZAFaWw1WWXYSeDJc3vrGnKYiaPkpi/opRMMTtsBBMubUXoBDXlCJzEF+Ky2Zdd8JPxHnhjgGo6wUdoRYyR2X+fzDjjW9+iZvzDiGTdau3v6C41MTqtBcYCUBHt0ogx37rzc+PnNpAg6Rjak04nwTDKcGanu+9iMmiyqtY7rqT7fkUVIAPjfw2/ffgIOcH/z8/9LsgH/7tCZyYfBg9HuSCmokWm9SuhJkV5e36/yp2NUUmU8XSWNLqlU6fiV7fv+jFkjO8got5zJmgpfBF1ayZNThUOrJaUsB2oordFKiy7qCzap+FK6V+R63uAs33PmDJwx7nvEoBot+KzPJyv5j9TuNaWjLTmdFmSiwQOaLjkEvw7YogWhTpFLFQ21Xk/fn1aBU82YC7cjFAZoyYrD2Bl784kBrbbPOte444XTg8nTvm9xj+V1wu0nRotoU+ouTkyZk4GPW591j7hcPqdOeyjqx1sUjXYqYOzs5KTI62FAlMTQRQ6qfW+LGyOWEdCW97m5Xdzjpzq3XTbmar2LUzXvdzk9UEoOdk+HoQpfPIVcB5/Vrt72EG/axiMif75P7FOZgkVivKqtbib7/3i9Aq/NBgUyp6SX26lssgqo4/ST5fFIgoFUkO58itHM6f4zQ8bNdhcxzJWLGNJC9exiafV03fRN+vZlV0AXt+bhTmzOrjzcgY3ow/YLdI7Yfnl+Qq7WLdnJe9BecKCUgsnkleVm1tHynZerVPXnEedy8nBRgPXVoaA7TcmvvlW8fZGgd3fNl4d75qP0RxeJZ+NkvPrUpeJ7kE8dMOcr03p0Nr5T2f7DbsZ4q7cY1Oil/gFjnh+Wm1kmcDPLhVaLWY8tSs8SnBalq0qcVaGz+N6Vy2jWbMjQH80dH8nMm1juZF6Geh1S5xiG/2VNhQSuupFNz1lAklfavFtdjYfMytM4XFbMy4yIoafUCM4wpMdQbOP/DQAA//8I9Guw" + return "eJy8mdtu67YShu/zFPMCyQP4YgMbORRGsQoDSdctwVAjmbXEYcmhHPfpC1I+JVFMuQqXrwxTmv/zz+FhyFvY4G4BCuvbjqrQ4g0Aa25xAfePTzcAFXrltGVNZgH/uwEA+JEehJocOFSoe22a+DS01HigHh0873xLzR28rBGGuCCrykOPpiKXoniLStdaQa2xrTxoEx/RUQiYgNd4aIlfK1RUoVBYg3Wk0Pt9GOuo1xX6uxvYP79Iv8fPLRjZ4SKSKrSkDR+bAHhncQGNo2DPfq2wlqFlkUItoJatx3fNn9w4fJ4G2OjK01EP7oNn6uCZXTSpk9Zq0/izFz8yn3P32gUvdPWu8UC+wd2W3Me2C4Dx8zNGhOXDseHzl4O4WqPa/ELT7qMerJJranDNv3ftbqJt0lrhtN9cYVtM2q3TjAtgF/CSqf+3ttVKpjyNKnefLfwI47FHp3lXHojXDiXDQXAKm26uy7AryOLo97oxkoNDWD7Adq3VOo1neQa9lR4qZFSMFbxmoQOvRYe8pkLUK+l9jJCU0PAB0zpiUtRC8FhlIJVkbMgV6vH7ffQcBJlaV2gUihZ7bEdhtGFs0M2AOapAUkld6Tpt8iaRMahY95p3wrPkjzrfZdeZDiSdLBhtdCGY5e+P+/gZiMqzsGsyKEzoXj/10DfhPKBnbYYEX65uV1EwA4ad1K1QZNjReE7Npno0jTaY9CbBlJrAlobRGdkOMrB8mETjUGmr0bCPXTdK1pJp/jvWHykhgGo4SU0i8+i9JvOr/NrLTfXNW6KRvrysP05+DWRUnYwYXv9CxYWyfuAZJHI4PRoWioIZh/muBEs6HqT3pLSMC/RW87CExw3+Zcja4d8BjSq0DD4raU4aGRatOiuicAG7lvc/VinQFIZYx5RiiLFzDFXc0vDuay/mzwJ7iUmWGJWIBL4xmjhblGF6ItdJjhlNTjc6Dv9KsszSMTZxIy1kL7TpaYMFfUv5PKhMsa6T7VY6FLXsdFtoiP0YNGDQyABZRCcaybiV4zjaziHRcYcSezBOPlELnlGF2Dvw2yCa5XN1TIO4IdadlV/M47N3xCtHsZhJNcNJEgbJHOPx3WKL9BnePoXyq98ZVvyhUP4fToRONWMUO3S5ZJYqV26fgZYbqC87m6hOYqkmBKZ9HTud1ytphEMf2kKbijSpDAI5FDSenOi+Wp/moyQB6PKLVNkDk5erDkm83aVptmTeJ4Up5c4BJlaxwZfFGTRyQOHVC3z7OLEPKNXnkv7K0yN8s9oN1WkMdpgKourhwQwgKyvqVjaFzHq5X4GVaoMMSSVHk05G0h8SDqUvtd15OenAoJMBCzb6WzSv/kwS09IqeHRlYTy6OC1aMj436EIotRQ/vu1L0ewCPFwFlJuDhouBCTNQT9qKlpqCy+tPWq5idZnijWXK8ZwO67tj3XCeKN99TfH4xk7uL69ujxdXJ+lLNxOjLiorrrql+CrIVQvleIlTT06qL0qkf8jMeL+VO3Ri8hC7EGPe/2ipmYVAzay/0ElW66lb/tEIRrKQVcWmFS60+NXJ4+RYs4MMhfbc971W8zqWAs/LUCsdmsGPGUEcVWHiweFogCgvZCo2ZgaZlad+OG2blxkeXa9jET4DpEeXPS36NwAA//+5zok/" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml index 40f6cdb4bfb9..264e15e12edf 100644 --- a/x-pack/filebeat/module/cef/log/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -18,170 +18,208 @@ fields: - name: app_risk type: keyword + overwrite: true description: Application risk. - name: app_severity type: keyword + overwrite: true description: Application threat severity. - name: app_sig_id type: keyword + overwrite: true description: The signature ID which the application was detected by. - name: auth_method type: keyword + overwrite: true description: Password authentication protocol used. - name: category type: keyword + overwrite: true description: Category. - name: confidence_level - type: keyword + type: integer + overwrite: true description: Confidence level determined. - name: connectivity_state type: keyword + overwrite: true description: Connectivity state. - name: cookie type: keyword + overwrite: true description: IKE cookie. - name: dst_phone_number type: keyword + overwrite: true description: Destination IP-Phone. - name: email_control type: keyword + overwrite: true description: Engine name. - name: email_id type: keyword + overwrite: true description: Internal email ID. - name: email_recipients_num type: long + overwrite: true description: Number of recipients. - name: email_session_id type: keyword + overwrite: true description: Internal email session ID. - name: email_spool_id + overwrite: true type: keyword + description: Internal email spool ID. - name: email_subject type: keyword + overwrite: true description: Email subject. - name: event_count type: long + overwrite: true description: Number of events associated with the log. - - name: file_hash - type: keyword - description: File hash (SHA1 or MD5). - - name: frequency type: keyword + overwrite: true description: Scan frequency. - name: icmp_type type: long + overwrite: true description: ICMP type. - name: icmp_code type: long + overwrite: true description: ICMP code. - name: identity_type type: keyword + overwrite: true description: Identity type. - name: incident_extension type: keyword + overwrite: true description: Format of original data. - name: integrity_av_invoke_type type: keyword + overwrite: true description: Scan invoke type. + - name: malware_family + type: keyword + overwrite: true + description: Malware family. + - name: peer_gateway type: ip + overwrite: true description: Main IP of the peer Security Gateway. - name: performance_impact - type: keyword + type: integer + overwrite: true description: Protection performance impact. - name: protection_id type: keyword + overwrite: true description: Protection malware ID. - name: protection_name type: keyword + overwrite: true description: Specific signature name of the attack. - name: protection_type type: keyword + overwrite: true description: Type of protection used to detect the attack. - name: scan_result type: keyword + overwrite: true description: Scan result. - name: sensor_mode type: keyword + overwrite: true description: Sensor mode. - name: severity type: keyword + overwrite: true description: Threat severity. - - name: malware_status + - name: spyware_name type: keyword - description: Malware status. + overwrite: true + description: Spyware name. - - name: subscription_expiration + - name: spyware_status + type: keyword + overwrite: true + description: Spyware status. + + - name: subs_exp type: date + overwrite: true description: The expiration date of the subscription. - name: tcp_flags type: keyword + overwrite: true description: TCP packet flags. - name: termination_reason type: keyword + overwrite: true description: Termination reason. - name: update_status type: keyword + overwrite: true description: Update status. - name: user_status type: keyword + overwrite: true description: User response. - name: uuid type: keyword + overwrite: true description: External ID. - name: virus_name type: keyword + overwrite: true description: Virus name. - - name: malware_name - type: keyword - description: Malware name. - - - name: malware_family - type: keyword - description: Malware family. - - name: voip_log_type type: keyword + overwrite: true description: VoIP log types. - name: cef.extensions diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml index f3f38355ed91..eea2f8fd5926 100644 --- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml @@ -76,7 +76,7 @@ processors: - name: deviceExternalId to: observer.type - # Product Family + # Product Family (override deviceExternalId if present). - name: deviceFacility to: observer.type convert: @@ -104,6 +104,10 @@ processors: to: checkpoint.termination_reason # Possibly an IKE cookie + - name: requestCookies + to: checkpoint.cookie + + # Probably a typo in CP's CEF docs - name: checkrequestCookies to: checkpoint.cookie @@ -136,7 +140,7 @@ processors: - name: deviceCustomNumber1 labels: payload: network.bytes - elapsed time in seconds: host.uptime + elapsed time in seconds: event.duration email recipients number: checkpoint.email_recipients_num - name: deviceCustomNumber2 @@ -172,9 +176,9 @@ processors: - name: deviceCustomString6 labels: - application name: process.name + application name: network.application virus name: checkpoint.virus_name - malware name: checkpoint.malware_name + malware name: checkpoint.spyware_name malware family: checkpoint.malware_family - name: deviceCustomString3 @@ -208,7 +212,7 @@ processors: - name: deviceCustomDate2 labels: - subscription expiration: checkpoint.subscription_expiration + subscription expiration: checkpoint.subs_exp - name: deviceFlexNumber1 labels: @@ -225,7 +229,7 @@ processors: - name: flexString2 labels: - malware action: event.action + malware action: rule.description attack information: event.action - name: rule_uid @@ -295,15 +299,19 @@ processors: field: event.duration ignore_missing: true - # checkpoint.file_hash can be either MD5 or SHA1. - - set: - field: file.hash.md5 - value: '{{checkpoint.file_hash}}' + # checkpoint.file_hash can be either MD5, SHA1 or SHA256. + - rename: + field: checkpoint.file_hash + target_field: file.hash.md5 if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32' - - set: - field: file.hash.sha1 - value: '{{checkpoint.file_hash}}' + - rename: + field: checkpoint.file_hash + target_field: file.hash.sha1 if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40' + - rename: + field: checkpoint.file_hash + target_field: file.hash.sha256 + if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64' # Event kind is 'event' by default. 'alert' when a risk score and rule info # is present. @@ -324,7 +332,7 @@ processors: - set: field: event.category value: malware - if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.malware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' + if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' - set: field: event.category value: intrusion_detection diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index 0cc100922d00..1dce9c9aae7c 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -116,8 +116,7 @@ "cef.severity": "Unknown", "cef.version": "0", "checkpoint.email_control": "SMTP Policy Restrictions", - "checkpoint.file_hash": "55f4a511e6f630a6b1319505414f114e7bcaf13d", - "checkpoint.subscription_expiration": "2020-04-11T10:42:13.000Z", + "checkpoint.subs_exp": "2020-04-11T10:42:13.000Z", "destination.port": 25, "event.action": "Bypass", "event.code": "Log", @@ -165,7 +164,6 @@ "cef.version": "0", "checkpoint.app_risk": "High", "checkpoint.event_count": "12", - "checkpoint.file_hash": "580a783c1cb2b20613323f715d231a69", "checkpoint.severity": "Very-High", "destination.ip": "::1", "event.action": "Drop",