From 9ceb936f7e125f6d836b8aa94fbf125fe990fa02 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 2 Apr 2020 18:34:06 +0200 Subject: [PATCH 01/10] File.hash: Remove custom field, support sha256 We're trying to consolidate the field names under checkpoint.* and file_hash is not an existing field. This removes the field and keeps the data in the appropriate ECS field. Also adds support for SHA-256, which the checkpoint supports, but it's not documented in the CEF exporter. --- filebeat/docs/fields.asciidoc | 9 --------- filebeat/docs/modules/cef.asciidoc | 2 +- x-pack/filebeat/module/cef/_meta/docs.asciidoc | 2 +- x-pack/filebeat/module/cef/fields.go | 2 +- .../filebeat/module/cef/log/_meta/fields.yml | 4 ---- .../module/cef/log/ingest/cp-pipeline.yml | 18 +++++++++++------- .../cef/log/test/checkpoint.log-expected.json | 2 -- 7 files changed, 14 insertions(+), 25 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index fa7bdb0aab24..778416e0fc2d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -4989,15 +4989,6 @@ type: long -- -*`checkpoint.file_hash`*:: -+ --- -File hash (SHA1 or MD5). - -type: keyword - --- - *`checkpoint.frequency`*:: + -- diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index bb5b77dee42e..95191d219c4d 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -70,7 +70,7 @@ Check Point CEF extensions are mapped as follows: | deviceInboundInterface | - | observer.ingress.interface.name | - | | deviceOutboundInterface | - | observer.egress.interface.name | - | | externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash | +| fileHash | - | file.hash.{md5,sha1,sha256| - | | reason | - | - | checkpoint.termination_reason | | checkrequestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index d3f97e011dd9..6d9fad0e712a 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -65,7 +65,7 @@ Check Point CEF extensions are mapped as follows: | deviceInboundInterface | - | observer.ingress.interface.name | - | | deviceOutboundInterface | - | observer.egress.interface.name | - | | externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash | +| fileHash | - | file.hash.{md5,sha1,sha256| - | | reason | - | - | checkpoint.termination_reason | | checkrequestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index 217d805818d1..5f9d81391584 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJy8mctu7DYPx/d5Ci6/b5EAXXQziwIHubSDIsUASc9WUGTaw44sqhLtZPr0heS5nWQSOXbQWQW29fuTFCWRyiVscLsAg/Vly1Vn8QJASCwu4Pr27gKgwmgCeSF2C/jlAgDgPn8INQcIaJB6ck36Giw3EbjHAA/baLm5gsc1wsAFXVURenQVh0yJHg3VZKAmtFUEcukTSkIgDLLG/Zv0Z4WGK1QGa/CBDca4w/jAPVUYry5g9/0iP0+/S3C6xUWy1KBncnJ4BSBbjwtoAnf+5GmFte6sqIxaQK1txB9ev4nG/nc3GJuicnfQg+suCrfwICEFqdXek2viycDXNp/a3VPooqLqh5d7yze4febw+t0HBqbf90SE5c3hxds/9uJmjWbzHwbtOunBKkfNDFGLP0btamTYtPcqUNxMDds37y0ZnTMxca7eBum1XMQeA8n2KyRlHVAL7JFj1KmZkSVpjUZqnJYuICxv4HlNZp1XnT4x61lHqFDQCFbwVDSrk7VqUdY82a6VjjF9k1noZG+IDyxs2EIXsSqYYbRgw2HyvFzvxpdk2NVUoTOoLPZoJ8sdOJA5OeChJVd2lJ1DI9STbFUULTjDhgMJMqkozRuaLLf8/XZHKMhUUZRfs0PluvYJw1TBG4xCbkil5epylZAFaWw1WWXYSeDJc3vrGnKYiaPkpi/opRMMTtsBBMubUXoBDXlCJzEF+Ky2Zdd8JPxHnhjgGo6wUdoRYyR2X+fzDjjW9+iZvzDiGTdau3v6C41MTqtBcYCUBHt0ogx37rzc+PnNpAg6Rjak04nwTDKcGanu+9iMmiyqtY7rqT7fkUVIAPjfw2/ffgIOcH/z8/9LsgH/7tCZyYfBg9HuSCmokWm9SuhJkV5e36/yp2NUUmU8XSWNLqlU6fiV7fv+jFkjO8got5zJmgpfBF1ayZNThUOrJaUsB2oordFKiy7qCzap+FK6V+R63uAs33PmDJwx7nvEoBot+KzPJyv5j9TuNaWjLTmdFmSiwQOaLjkEvw7YogWhTpFLFQ21Xk/fn1aBU82YC7cjFAZoyYrD2Bl784kBrbbPOte444XTg8nTvm9xj+V1wu0nRotoU+ouTkyZk4GPW591j7hcPqdOeyjqx1sUjXYqYOzs5KTI62FAlMTQRQ6qfW+LGyOWEdCW97m5Xdzjpzq3XTbmar2LUzXvdzk9UEoOdk+HoQpfPIVcB5/Vrt72EG/axiMif75P7FOZgkVivKqtbib7/3i9Aq/NBgUyp6SX26lssgqo4/ST5fFIgoFUkO58itHM6f4zQ8bNdhcxzJWLGNJC9exiafV03fRN+vZlV0AXt+bhTmzOrjzcgY3ow/YLdI7Yfnl+Qq7WLdnJe9BecKCUgsnkleVm1tHynZerVPXnEedy8nBRgPXVoaA7TcmvvlW8fZGgd3fNl4d75qP0RxeJZ+NkvPrUpeJ7kE8dMOcr03p0Nr5T2f7DbsZ4q7cY1Oil/gFjnh+Wm1kmcDPLhVaLWY8tSs8SnBalq0qcVaGz+N6Vy2jWbMjQH80dH8nMm1juZF6Geh1S5xiG/2VNhQSuupFNz1lAklfavFtdjYfMytM4XFbMy4yIoafUCM4wpMdQbOP/DQAA//8I9Guw" + return "eJy8mdFu6zYPx+/7FHyB9gFy8QEf0nYIhg4B2p1bQZVph4stahLtNHv6QXKc5JwmkWsXy1VhW78/SVESqd7DFvcLMFjeN1y0Nd4BCEmNC1g+Pd8BFBiMJyfEdgH/uwMAeEkfQskePBqkjmwVv4aaqwDcoYfXfai5eoC3DULPBV0UATq0BftECQ4NlWSgJKyLAGTjJxSFQBhkg8Ob+GeBhgtUBktwng2GcMA4zx0VGB7u4PD9Ij2Pv3uwusFFtNSgY7JyfAUge4cLqDy37uxpgaVua1EJtYBS1wF/ev0pGsPvuTc2RuX5qAfLNgg38Co+BqnRzpGtwtnAX20+t7sj3wZFxU8vB8u3uN+x//XdDQPj70ckwurx+OLzH4O42aDZ/odBW0Y9WKeomT5q4eeoPYwMm3ZOeQrbqWH7v3M1GZ0yMXIePgfpV7mAHXqS/XdIysajFhiQY9SpmpElcY0GqqyW1iOsHmG3IbNJq06fmbXTAQoUNIIFvGfNamWjGpQNT7ZrrUOI3yQWWhkMcZ6FDdfQBiwyZhgtWLGfPC/Lw/icDNuSCrQGVY0d1pPljhxInBRw35DNO8rWohHqSPYqiBacYcORBImUleYtTZZb/f50IGRkiiDKbdiism3zjn6q4CMGIdun0mp9v47IjDQ2mmpl2IrnyXP7ZCuymIij5KYv6JUV9FbXPQhWj6P0PBpyhFZCDPBF7ZptdUv4jzQxwCWcYKO0A4ZAbL/P5wNwrO/BMX9jxBNutHb7/hcamZxWvWIPyQl2aEUZbu1lufHzm0gBdAhsSMcTYUfSnxmx7rttRunx7xatmbwrvxptT5SMGpnGqYie5PJq+bJOn45RiSXqdJU4OqdSxHNQ9tf9GZOsB8got6xJmgo/BG1cUlNVn9k3WmLusKeK4mIptOisvmAVqyClO0W24y3O8j1lTs8Z475D9KrSgjt9OVnJ3VJ70RTPmOh0XBmRBq9o2ugQ/NZjsxb4MkYulhbUOD19o1h7jsVbqqBOUOihOSuOY2dskmcGNLre6VRsjheODyZP+9BrnurciBsmRotokyvzz0yZk4Fve5d0T7hUx8aWt6+ux1sUjLbKY2jryUmR1kOPyImhDexVc22LGyOWENDk97m57dTbl1qoQzamsrkNUzVfDjndU3IOtu/HoQo/HPlUkF7ULj4X85/6txMifT4k9rlMxiIxTpW1rib7/7Zcg9NmiwKJk9NLfU0yWXnUYfrJ8nYiQU/KSLcuxmjmdP+ZIONmuw3o58oF9HGhOrYht3radvom/fRxqGSzW3N/OTVnV+4vo0Y0RMMCnSM2LM8vyJW6oXryHjQI9pRcMJmcqrmadbT84NU6lt9pxKWcPHbsWD4cC7rzlPzu672nD/H6cOl7f7zwPUnfutG7GCfj1Jdu965BvnTAXK5My9HZeKWy/YftjPG13qNXo5f6DcY8P2quZpnA1SwXGi1mM7YovUiwWpQuCrG18m2N1+4+RrNmQ/r+aO74QGbexHIr8zLUaR87R9//U2kqxHPRjmx6LgKivNLmanU1HjIrT0N/WTEvMwL6jmIjOMOQDn22jf83AAD//1OcTqc=" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml index 40f6cdb4bfb9..41e223d123dc 100644 --- a/x-pack/filebeat/module/cef/log/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -80,10 +80,6 @@ type: long description: Number of events associated with the log. - - name: file_hash - type: keyword - description: File hash (SHA1 or MD5). - - name: frequency type: keyword description: Scan frequency. diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml index f3f38355ed91..0ca100059195 100644 --- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml @@ -295,15 +295,19 @@ processors: field: event.duration ignore_missing: true - # checkpoint.file_hash can be either MD5 or SHA1. - - set: - field: file.hash.md5 - value: '{{checkpoint.file_hash}}' + # checkpoint.file_hash can be either MD5, SHA1 or SHA256. + - rename: + field: checkpoint.file_hash + target_field: file.hash.md5 if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32' - - set: - field: file.hash.sha1 - value: '{{checkpoint.file_hash}}' + - rename: + field: checkpoint.file_hash + target_field: file.hash.sha1 if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40' + - rename: + field: checkpoint.file_hash + target_field: file.hash.sha256 + if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64' # Event kind is 'event' by default. 'alert' when a risk score and rule info # is present. diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index 0cc100922d00..fccc126358e9 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -116,7 +116,6 @@ "cef.severity": "Unknown", "cef.version": "0", "checkpoint.email_control": "SMTP Policy Restrictions", - "checkpoint.file_hash": "55f4a511e6f630a6b1319505414f114e7bcaf13d", "checkpoint.subscription_expiration": "2020-04-11T10:42:13.000Z", "destination.port": 25, "event.action": "Bypass", @@ -165,7 +164,6 @@ "cef.version": "0", "checkpoint.app_risk": "High", "checkpoint.event_count": "12", - "checkpoint.file_hash": "580a783c1cb2b20613323f715d231a69", "checkpoint.severity": "Very-High", "destination.ip": "::1", "event.action": "Drop", From 111d1ed37f17e5e0a04a4089377b70198c92cccf Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 2 Apr 2020 18:54:05 +0200 Subject: [PATCH 02/10] Typo? field requestCookies --- filebeat/docs/modules/cef.asciidoc | 2 +- x-pack/filebeat/module/cef/_meta/docs.asciidoc | 2 +- x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 95191d219c4d..23d897468c06 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -72,7 +72,7 @@ Check Point CEF extensions are mapped as follows: | externalId | - | - | checkpoint.uuid | | fileHash | - | file.hash.{md5,sha1,sha256| - | | reason | - | - | checkpoint.termination_reason | -| checkrequestCookies | - | - | checkpoint.cookie | +| requestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | | Signature | - | vulnerability.id | - | | Recipient | - | destination.user.email | - | diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index 6d9fad0e712a..5a267d93d8d3 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -67,7 +67,7 @@ Check Point CEF extensions are mapped as follows: | externalId | - | - | checkpoint.uuid | | fileHash | - | file.hash.{md5,sha1,sha256| - | | reason | - | - | checkpoint.termination_reason | -| checkrequestCookies | - | - | checkpoint.cookie | +| requestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | | Signature | - | vulnerability.id | - | | Recipient | - | destination.user.email | - | diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml index 0ca100059195..e0131e0882aa 100644 --- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml @@ -104,6 +104,10 @@ processors: to: checkpoint.termination_reason # Possibly an IKE cookie + - name: requestCookies + to: checkpoint.cookie + + # Probably a typo in CP's CEF docs - name: checkrequestCookies to: checkpoint.cookie From a5267b986a3d49c3ea8132d0974e93fb8e8e94ee Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 3 Apr 2020 11:26:48 +0200 Subject: [PATCH 03/10] Adjust custom checkpoint fields This renames / changes types on some custom fields under checkpoint to align with the names used in Check Point logs (not CEF), so that the documents generated by the CEF module and the upcoming checkpoint module are compatible. --- filebeat/docs/fields.asciidoc | 46 +++++++++---------- filebeat/docs/modules/cef.asciidoc | 2 +- .../filebeat/module/cef/_meta/docs.asciidoc | 2 +- x-pack/filebeat/module/cef/fields.go | 2 +- .../filebeat/module/cef/log/_meta/fields.yml | 26 +++++------ .../module/cef/log/ingest/cp-pipeline.yml | 2 +- .../cef/log/test/checkpoint.log-expected.json | 2 +- 7 files changed, 41 insertions(+), 41 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 778416e0fc2d..8d3a41ac44e9 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -4895,7 +4895,7 @@ type: keyword -- Confidence level determined. -type: keyword +type: long -- @@ -5043,6 +5043,24 @@ type: keyword -- +*`checkpoint.malware_family`*:: ++ +-- +Malware family. + +type: keyword + +-- + +*`checkpoint.malware_name`*:: ++ +-- +Malware name. + +type: keyword + +-- + *`checkpoint.peer_gateway`*:: + -- @@ -5057,7 +5075,7 @@ type: ip -- Protection performance impact. -type: keyword +type: long -- @@ -5115,16 +5133,16 @@ type: keyword -- -*`checkpoint.malware_status`*:: +*`checkpoint.spyware_status`*:: + -- -Malware status. +Spyware status. type: keyword -- -*`checkpoint.subscription_expiration`*:: +*`checkpoint.subs_exp`*:: + -- The expiration date of the subscription. @@ -5187,24 +5205,6 @@ type: keyword -- -*`checkpoint.malware_name`*:: -+ --- -Malware name. - -type: keyword - --- - -*`checkpoint.malware_family`*:: -+ --- -Malware family. - -type: keyword - --- - *`checkpoint.voip_log_type`*:: + -- diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 23d897468c06..73525740288a 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -122,7 +122,7 @@ Check Point CEF extensions are mapped as follows: | vlan id | network.vlan.id | - | | authentication method | - | checkpoint.auth_method | | email session id | - | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | | deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | .2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | | destination phone number | - | checkpoint.dst_phone_number | diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index 5a267d93d8d3..818b2efdb201 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -117,7 +117,7 @@ Check Point CEF extensions are mapped as follows: | vlan id | network.vlan.id | - | | authentication method | - | checkpoint.auth_method | | email session id | - | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | | deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | .2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | | destination phone number | - | checkpoint.dst_phone_number | diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index 5f9d81391584..f044a381a503 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJy8mdFu6zYPx+/7FHyB9gFy8QEf0nYIhg4B2p1bQZVph4stahLtNHv6QXKc5JwmkWsXy1VhW78/SVESqd7DFvcLMFjeN1y0Nd4BCEmNC1g+Pd8BFBiMJyfEdgH/uwMAeEkfQskePBqkjmwVv4aaqwDcoYfXfai5eoC3DULPBV0UATq0BftECQ4NlWSgJKyLAGTjJxSFQBhkg8Ob+GeBhgtUBktwng2GcMA4zx0VGB7u4PD9Ij2Pv3uwusFFtNSgY7JyfAUge4cLqDy37uxpgaVua1EJtYBS1wF/ev0pGsPvuTc2RuX5qAfLNgg38Co+BqnRzpGtwtnAX20+t7sj3wZFxU8vB8u3uN+x//XdDQPj70ckwurx+OLzH4O42aDZ/odBW0Y9WKeomT5q4eeoPYwMm3ZOeQrbqWH7v3M1GZ0yMXIePgfpV7mAHXqS/XdIysajFhiQY9SpmpElcY0GqqyW1iOsHmG3IbNJq06fmbXTAQoUNIIFvGfNamWjGpQNT7ZrrUOI3yQWWhkMcZ6FDdfQBiwyZhgtWLGfPC/Lw/icDNuSCrQGVY0d1pPljhxInBRw35DNO8rWohHqSPYqiBacYcORBImUleYtTZZb/f50IGRkiiDKbdiism3zjn6q4CMGIdun0mp9v47IjDQ2mmpl2IrnyXP7ZCuymIij5KYv6JUV9FbXPQhWj6P0PBpyhFZCDPBF7ZptdUv4jzQxwCWcYKO0A4ZAbL/P5wNwrO/BMX9jxBNutHb7/hcamZxWvWIPyQl2aEUZbu1lufHzm0gBdAhsSMcTYUfSnxmx7rttRunx7xatmbwrvxptT5SMGpnGqYie5PJq+bJOn45RiSXqdJU4OqdSxHNQ9tf9GZOsB8got6xJmgo/BG1cUlNVn9k3WmLusKeK4mIptOisvmAVqyClO0W24y3O8j1lTs8Z475D9KrSgjt9OVnJ3VJ70RTPmOh0XBmRBq9o2ugQ/NZjsxb4MkYulhbUOD19o1h7jsVbqqBOUOihOSuOY2dskmcGNLre6VRsjheODyZP+9BrnurciBsmRotokyvzz0yZk4Fve5d0T7hUx8aWt6+ux1sUjLbKY2jryUmR1kOPyImhDexVc22LGyOWENDk97m57dTbl1qoQzamsrkNUzVfDjndU3IOtu/HoQo/HPlUkF7ULj4X85/6txMifT4k9rlMxiIxTpW1rib7/7Zcg9NmiwKJk9NLfU0yWXnUYfrJ8nYiQU/KSLcuxmjmdP+ZIONmuw3o58oF9HGhOrYht3radvom/fRxqGSzW3N/OTVnV+4vo0Y0RMMCnSM2LM8vyJW6oXryHjQI9pRcMJmcqrmadbT84NU6lt9pxKWcPHbsWD4cC7rzlPzu672nD/H6cOl7f7zwPUnfutG7GCfj1Jdu965BvnTAXK5My9HZeKWy/YftjPG13qNXo5f6DcY8P2quZpnA1SwXGi1mM7YovUiwWpQuCrG18m2N1+4+RrNmQ/r+aO74QGbexHIr8zLUaR87R9//U2kqxHPRjmx6LgKivNLmanU1HjIrT0N/WTEvMwL6jmIjOMOQDn22jf83AAD//1OcTqc=" + return "eJy8md1u8ygTx897FXMD7QXk4JVe9WMVrZ5VpHafU0Tx2GFjMyyM3WavfgXk62mTQE21OUpj/PsPMwPM0FvY4HYBCtvbgZqxxxsA1tzjAu4fn24AGvTKacuazAL+dwMA8CMOhJYcOFSoJ226MBp66jzQhA6et76n7g5e1giJC7JpPExoGnKR4i0q3WoFrca+8aBNGKKDEDABr3H/JHxtUFGDQmEL1pFC73cY62jSDfq7G9iNX8Tfw+cWjBxwESxVaEkbPjwC4K3FBXSORnvya4OtHHsWEbWAVvYef3n8yRv7z1MyNnjl6aAH96NnGuCZXXDSIK3VpvMnL360+dTuSbvRC9388nBv+Qa3b+Q+PrtiYPj8DERYPhwefP6yF1drVJv/0Gn3QQ9W0Wsqec3/6rW7QrdJa4XTfjPXbf+3ttdKxkwMnLvPTvoo53FCp3n7HZK8digZ9sgSdd1VZElYo153RvLoEJYP8LbWah1XnTwx6016aJBRMTbwmjVr5LUYkNc0266V9D6MiSw0vDfEOmJS1MPoscmYoSRjR252XO537+dkyLS6QaNQ9Dhhf1auJ9Nd1TpAIEKit92gTX6WZAwq1pPmrfAsGWfP94QEkZSVpo2eLbf8/XFHyMg0noVdk0FhxuEV3VzBB/SsTcqj5ep2FZAZaRyk7oUiw47OB7ZA99F02mAkFsnNX81Lw+iM7BMIlg9Feg6VthoN++DgWen7RwwMUAtHWJG2R+81me+b8w5YOndvib7R4xFXrD2+/oWKZ6dVUkyQnOCEhoWi0ZyXK49vJHmQ3pPSMhwHb5rTgRGKvutmtA7/HtGo2Vvys5LmSMmoaTVYEdCzpry8/7GKQ0tUQn06XyW8nVNpwiHI28vzKUnWHaRoWkZFTYHvjCYsqbmqT+QGySF3yOlOh8XSSJZZfcYulEBCTkKbiTZYNfeYOYlTMv1B9m/SoWjloPvZ6fojUSBRCiXDX7WCBWeNRXSik4xv8vz8tL2upMMpGsIa1n6gwTOqMYQMfkvYrAWuDbkRKic9WHlhK8wtoZWjUJjG6vBIhETMmXB4t+IMODFgF8P8CXAiXBPv530ffazhA24fFcksVa6FOTGlZoG9bG3UPeJijR7a+dQ5lFvklTTCoR/72YdjXO4JkRND48mJ4dIOXiIWETDkt/HaVvHlS+2ht9u4o4RafvTzcyxSIFFykuOrF/j+cetIYs3n5uRTM4rvVrtUo4fh+0wO3P3AjAmsrGh72c2e8Mv9CqxUG2SInJxe7NOiycKh9PNPypcjCRIpIz3a4KPK+P4ZIWXhHT26WjmPLqxMS8bnlss4zt+VH993lXl2L043bTXbcLpZKzh0J9JW9NRV7bQ/abkKxXZ841zEDv05tneH8u00YN99k/f4zk7u7ndvD3e7R+lrl3dn/aSs+NJF3iXIl/bb83VoW5wYF+rYf8hUvN/LLTpRvBCuMOrm0VNXZQJ1VVMYJKt1aY12lmAkC9k0bHrhxh4v3XQUs6ohqRuqfd9rVRdYGrkuQ610oU906f9HcyGOmrHwLuQsIMgLGevOSkhVnvp0NVGXGR7dpENTVGHIhC7btP8bAAD//0oZReM=" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml index 41e223d123dc..4f4ad7231dbb 100644 --- a/x-pack/filebeat/module/cef/log/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -37,7 +37,7 @@ description: Category. - name: confidence_level - type: keyword + type: long description: Confidence level determined. - name: connectivity_state @@ -104,12 +104,20 @@ type: keyword description: Scan invoke type. + - name: malware_family + type: keyword + description: Malware family. + + - name: malware_name + type: keyword + description: Malware name. + - name: peer_gateway type: ip description: Main IP of the peer Security Gateway. - name: performance_impact - type: keyword + type: long description: Protection performance impact. - name: protection_id @@ -136,11 +144,11 @@ type: keyword description: Threat severity. - - name: malware_status + - name: spyware_status type: keyword - description: Malware status. + description: Spyware status. - - name: subscription_expiration + - name: subs_exp type: date description: The expiration date of the subscription. @@ -168,14 +176,6 @@ type: keyword description: Virus name. - - name: malware_name - type: keyword - description: Malware name. - - - name: malware_family - type: keyword - description: Malware family. - - name: voip_log_type type: keyword description: VoIP log types. diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml index e0131e0882aa..5b52e8387fd9 100644 --- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml @@ -212,7 +212,7 @@ processors: - name: deviceCustomDate2 labels: - subscription expiration: checkpoint.subscription_expiration + subscription expiration: checkpoint.subs_exp - name: deviceFlexNumber1 labels: diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index fccc126358e9..1dce9c9aae7c 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -116,7 +116,7 @@ "cef.severity": "Unknown", "cef.version": "0", "checkpoint.email_control": "SMTP Policy Restrictions", - "checkpoint.subscription_expiration": "2020-04-11T10:42:13.000Z", + "checkpoint.subs_exp": "2020-04-11T10:42:13.000Z", "destination.port": 25, "event.action": "Bypass", "event.code": "Log", From 903930ce882e378360acc0b14a075fe29d40ec9b Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 3 Apr 2020 16:25:46 +0200 Subject: [PATCH 04/10] Replace malware_name with spyware_name That's the correct name for this field. --- filebeat/docs/fields.asciidoc | 18 +++++++++--------- x-pack/filebeat/module/cef/fields.go | 2 +- .../filebeat/module/cef/log/_meta/fields.yml | 8 ++++---- .../module/cef/log/ingest/cp-pipeline.yml | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 8d3a41ac44e9..bc1bddac4073 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -5052,15 +5052,6 @@ type: keyword -- -*`checkpoint.malware_name`*:: -+ --- -Malware name. - -type: keyword - --- - *`checkpoint.peer_gateway`*:: + -- @@ -5133,6 +5124,15 @@ type: keyword -- +*`checkpoint.spyware_name`*:: ++ +-- +Spyware name. + +type: keyword + +-- + *`checkpoint.spyware_status`*:: + -- diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index f044a381a503..b5aca406c25b 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJy8md1u8ygTx897FXMD7QXk4JVe9WMVrZ5VpHafU0Tx2GFjMyyM3WavfgXk62mTQE21OUpj/PsPMwPM0FvY4HYBCtvbgZqxxxsA1tzjAu4fn24AGvTKacuazAL+dwMA8CMOhJYcOFSoJ226MBp66jzQhA6et76n7g5e1giJC7JpPExoGnKR4i0q3WoFrca+8aBNGKKDEDABr3H/JHxtUFGDQmEL1pFC73cY62jSDfq7G9iNX8Tfw+cWjBxwESxVaEkbPjwC4K3FBXSORnvya4OtHHsWEbWAVvYef3n8yRv7z1MyNnjl6aAH96NnGuCZXXDSIK3VpvMnL360+dTuSbvRC9388nBv+Qa3b+Q+PrtiYPj8DERYPhwefP6yF1drVJv/0Gn3QQ9W0Wsqec3/6rW7QrdJa4XTfjPXbf+3ttdKxkwMnLvPTvoo53FCp3n7HZK8digZ9sgSdd1VZElYo153RvLoEJYP8LbWah1XnTwx6016aJBRMTbwmjVr5LUYkNc0266V9D6MiSw0vDfEOmJS1MPoscmYoSRjR252XO537+dkyLS6QaNQ9Dhhf1auJ9Nd1TpAIEKit92gTX6WZAwq1pPmrfAsGWfP94QEkZSVpo2eLbf8/XFHyMg0noVdk0FhxuEV3VzBB/SsTcqj5ep2FZAZaRyk7oUiw47OB7ZA99F02mAkFsnNX81Lw+iM7BMIlg9Feg6VthoN++DgWen7RwwMUAtHWJG2R+81me+b8w5YOndvib7R4xFXrD2+/oWKZ6dVUkyQnOCEhoWi0ZyXK49vJHmQ3pPSMhwHb5rTgRGKvutmtA7/HtGo2Vvys5LmSMmoaTVYEdCzpry8/7GKQ0tUQn06XyW8nVNpwiHI28vzKUnWHaRoWkZFTYHvjCYsqbmqT+QGySF3yOlOh8XSSJZZfcYulEBCTkKbiTZYNfeYOYlTMv1B9m/SoWjloPvZ6fojUSBRCiXDX7WCBWeNRXSik4xv8vz8tL2upMMpGsIa1n6gwTOqMYQMfkvYrAWuDbkRKic9WHlhK8wtoZWjUJjG6vBIhETMmXB4t+IMODFgF8P8CXAiXBPv530ffazhA24fFcksVa6FOTGlZoG9bG3UPeJijR7a+dQ5lFvklTTCoR/72YdjXO4JkRND48mJ4dIOXiIWETDkt/HaVvHlS+2ht9u4o4RafvTzcyxSIFFykuOrF/j+cetIYs3n5uRTM4rvVrtUo4fh+0wO3P3AjAmsrGh72c2e8Mv9CqxUG2SInJxe7NOiycKh9PNPypcjCRIpIz3a4KPK+P4ZIWXhHT26WjmPLqxMS8bnlss4zt+VH993lXl2L043bTXbcLpZKzh0J9JW9NRV7bQ/abkKxXZ841zEDv05tneH8u00YN99k/f4zk7u7ndvD3e7R+lrl3dn/aSs+NJF3iXIl/bb83VoW5wYF+rYf8hUvN/LLTpRvBCuMOrm0VNXZQJ1VVMYJKt1aY12lmAkC9k0bHrhxh4v3XQUs6ohqRuqfd9rVRdYGrkuQ610oU906f9HcyGOmrHwLuQsIMgLGevOSkhVnvp0NVGXGR7dpENTVGHIhC7btP8bAAD//0oZReM=" + return "eJy8md1u8ygTx897FXMD7QXk4JVe9WMVrZ5VpHafU0Tx2GFjMyyM3WavfjWQr6dNgmtXm6PKwO8/DAPM0FvY4HYBBuvbjqq+xRsAttziAu4fn24AKowmWM+W3AL+dwMA8CN1hJoCBDRoB+sa6Q0tNRFowADP29hScwcva4TMBV1VEQZ0FYVEiR6Nra2B2mJbRbBOulgRAibgNe5b5M8KDVWoDNbgAxmMcYfxgQZbYby7gV3/Rfouv1twusOFWGrQk3V8aALgrccFNIF6f/K1wlr3LauEWkCt24i/NH/yxv73lI0Vrzwd9OC+j0wdPHMQJ3Xae+uaeDLwo82ndg829FHZ6pfGveUb3L5R+Nh2xUD5/RQiLB8ODZ//2IubNZrNf+i0e9GDVfKayV6Lv3rtbqTbtPcq2LiZ6rb/e99ao1MkCufus5M+ykUcMFjefockrwNqhj1yjLptZkSJ7NFoG6e5DwjLB3hbW7NOu06fmPWmI1TIaBgreC2a1fNadchrmmzXSscofRILHe8N8YGYDLXQR6wKZhjN2FCYvC73u/ElGXK1rdAZVC0O2J6Va8k1V7UOEEiQ5O3QWVeeJTmHhu1geasia8bJ8z0hQSIVpWljJ8stf3/cEQoyVWTl1+RQub57xTBV8AEjW5fjaLm6XQmyII2dtq0y5DjQ+YUdofvoGuswEUfJTd/NS8cYnG4zCJYPo/QCGustOo7i4Enh+0daGKAajrBR2hFjtOS+b8474Ni5R0/0jR5PuNHa/etfaHhyWGXFDCkJDuhYGerdebnx65tIEXSMZKyW6+DNcr4wJOm7bkYd8O8enZl8JD8b7Y6Ugpo1nVeCnjTl5f2PVeo6RkXy0+kqMrqkUsklyNvL8xkTrDvIqGk5kzQVvjM62VJTVZ8odJoldijYxspmqTTroj5jIymQ0oOybqANzpp7ipzMGTP9TrdvOqCqdWfbyeH6I1MgUwqSHjGoRjO+6fOC1l/XsnKtiZ9lMwoNntH04kP4LWOLFoRaFktSGdt5feFsKsX0KpBkiildOxIhE0smHMbOOJRPDNitY/lIPhGWD5PDbF/YHpNqwe1XRTNrU6opTkyZE/EvW590j7iUNEt9nVP58RZFo50KGPt28m2V9l9GlMTQRQqqu3SkjhFLCOjK5+rc2u3lS/Va9Nt0qsyLsMQYk07u5SSX7+NcwUwpSfavUeH7x5Mqi1Wfi5NPxSi+extyji7d9xtHuPuOBRPYeFW3upk84Zf7FXhtNsiQOCW9VKclk1VAHafflC9HEmRSQbr34qOZ6/tngoxb3j5imCsXMchB4MnFUgD3/fRL4PF9l5kXj/780jZnT+aXtRE7ciDrVUvNrIP9Jy1XkmynEedW7FCfY313SN9OF+y7X/Ie3zno3fvu7eFt9yh97fHurJ+MV196yLsE+dLxfj4PrUcHxoU89h9yM8a3eotBjd4IVxjz5tFSM8sEamZNodNs1mNTwrMEp1npqmLXqtC3eOmlYzRrNiRXQ3PHR2vmLSz1PC9CvQ5SJ4b8/6OpkEBVP/It5CxA5JVOae5MyKw4jflpYl5kRAyDlRpshiEDhmLR/m8AAAD//w4yRic=" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml index 4f4ad7231dbb..817f499f0eff 100644 --- a/x-pack/filebeat/module/cef/log/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -108,10 +108,6 @@ type: keyword description: Malware family. - - name: malware_name - type: keyword - description: Malware name. - - name: peer_gateway type: ip description: Main IP of the peer Security Gateway. @@ -144,6 +140,10 @@ type: keyword description: Threat severity. + - name: spyware_name + type: keyword + description: Spyware name. + - name: spyware_status type: keyword description: Spyware status. diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml index 5b52e8387fd9..31006dea4032 100644 --- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml @@ -178,7 +178,7 @@ processors: labels: application name: process.name virus name: checkpoint.virus_name - malware name: checkpoint.malware_name + malware name: checkpoint.spyware_name malware family: checkpoint.malware_family - name: deviceCustomString3 @@ -332,7 +332,7 @@ processors: - set: field: event.category value: malware - if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.malware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' + if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' - set: field: event.category value: intrusion_detection From 94c57c6a1796c1170891f8c201274ec245d2733c Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 6 Apr 2020 22:03:21 +0200 Subject: [PATCH 05/10] Map malware_action to rule.description --- x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml index 31006dea4032..e47e97f2c0a2 100644 --- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml @@ -229,7 +229,7 @@ processors: - name: flexString2 labels: - malware action: event.action + malware action: rule.description attack information: event.action - name: rule_uid From a25b7a33ca0c7c7be9bf33ba77a75691eac86a60 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Apr 2020 08:43:25 +0200 Subject: [PATCH 06/10] Some more adjustments --- filebeat/docs/modules/cef.asciidoc | 4 ++-- x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 73525740288a..40bbb61543c3 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -80,7 +80,7 @@ Check Point CEF extensions are mapped as follows: | deviceCustomFloatingPoint1 | update version | observer.version | - | | deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | | deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - | +.3+| deviceCustomNumber1 | elapsed time in seconds | network.duration | - | | email recipients number | - | checkpoint.email_recipients_num | | payload | network.bytes | - | .2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | @@ -100,7 +100,7 @@ Check Point CEF extensions are mapped as follows: | update status | - | checkpoint.update_status | | peer gateway | - | checkpoint.peer_gateway | | categories | rule.category | - | -.4+| deviceCustomString6 | application name | process.name | - | +.4+| deviceCustomString6 | application name | network.application | - | | virus name | - | checkpoint.virus_name | | malware name | - | checkpoint.malware_name | | malware family | - | checkpoint.malware_family | diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml index e47e97f2c0a2..eea2f8fd5926 100644 --- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml @@ -76,7 +76,7 @@ processors: - name: deviceExternalId to: observer.type - # Product Family + # Product Family (override deviceExternalId if present). - name: deviceFacility to: observer.type convert: @@ -140,7 +140,7 @@ processors: - name: deviceCustomNumber1 labels: payload: network.bytes - elapsed time in seconds: host.uptime + elapsed time in seconds: event.duration email recipients number: checkpoint.email_recipients_num - name: deviceCustomNumber2 @@ -176,7 +176,7 @@ processors: - name: deviceCustomString6 labels: - application name: process.name + application name: network.application virus name: checkpoint.virus_name malware name: checkpoint.spyware_name malware family: checkpoint.malware_family From c6e45f4353c852ce5bdf1dee3451f4927f294b21 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Apr 2020 08:45:21 +0200 Subject: [PATCH 07/10] Update docs --- filebeat/docs/modules/cef.asciidoc | 6 +++--- x-pack/filebeat/module/cef/_meta/docs.asciidoc | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 40bbb61543c3..842604ec29f2 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -70,7 +70,7 @@ Check Point CEF extensions are mapped as follows: | deviceInboundInterface | - | observer.ingress.interface.name | - | | deviceOutboundInterface | - | observer.egress.interface.name | - | | externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.{md5,sha1,sha256| - | +| fileHash | - | file.hash.{md5,sha1} | - | | reason | - | - | checkpoint.termination_reason | | requestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | @@ -80,7 +80,7 @@ Check Point CEF extensions are mapped as follows: | deviceCustomFloatingPoint1 | update version | observer.version | - | | deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | | deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -.3+| deviceCustomNumber1 | elapsed time in seconds | network.duration | - | +.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - | | email recipients number | - | checkpoint.email_recipients_num | | payload | network.bytes | - | .2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | @@ -100,7 +100,7 @@ Check Point CEF extensions are mapped as follows: | update status | - | checkpoint.update_status | | peer gateway | - | checkpoint.peer_gateway | | categories | rule.category | - | -.4+| deviceCustomString6 | application name | network.application | - | +.4+| deviceCustomString6 | application name | process.name | - | | virus name | - | checkpoint.virus_name | | malware name | - | checkpoint.malware_name | | malware family | - | checkpoint.malware_family | diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index 818b2efdb201..d0af8af62bb1 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -65,7 +65,7 @@ Check Point CEF extensions are mapped as follows: | deviceInboundInterface | - | observer.ingress.interface.name | - | | deviceOutboundInterface | - | observer.egress.interface.name | - | | externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.{md5,sha1,sha256| - | +| fileHash | - | file.hash.{md5,sha1} | - | | reason | - | - | checkpoint.termination_reason | | requestCookies | - | - | checkpoint.cookie | | sourceNtDomain | - | dns.question.name | - | From 5a64ee709dbc7ef3fad46ab4af5ad0f806b33b0e Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Apr 2020 09:15:39 +0200 Subject: [PATCH 08/10] Missing docs changes --- filebeat/docs/modules/cef.asciidoc | 12 ++++++------ x-pack/filebeat/module/cef/_meta/docs.asciidoc | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 842604ec29f2..38ac4e4cd5b0 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -80,7 +80,7 @@ Check Point CEF extensions are mapped as follows: | deviceCustomFloatingPoint1 | update version | observer.version | - | | deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | | deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - | +.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | | email recipients number | - | checkpoint.email_recipients_num | | payload | network.bytes | - | .2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | @@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows: | update status | - | checkpoint.update_status | | peer gateway | - | checkpoint.peer_gateway | | categories | rule.category | - | -.4+| deviceCustomString6 | application name | process.name | - | +.4+| deviceCustomString6 | application name | network.application | - | | virus name | - | checkpoint.virus_name | - | malware name | - | checkpoint.malware_name | + | malware name | - | checkpoint.spyware_name | | malware family | - | checkpoint.malware_family | .5+| deviceCustomString3 | user group | group.name | - | | incident extension | - | checkpoint.incident_extension | @@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows: | vlan id | network.vlan.id | - | | authentication method | - | checkpoint.auth_method | | email session id | - | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | | deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | .2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | | destination phone number | - | checkpoint.dst_phone_number | | flexString1 | application signature id | - | checkpoint.app_sig_id | -.2+| flexString2 | malware action | event.action | - | +.2+| flexString2 | malware action | rule.description | - | | attack information | event.action | - | | rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | +| ifname | - | observer.ingress.interface.name | - | | inzone | - | observer.ingress.zone | - | | outzone | - | observer.egress.zone | - | | product | - | observer.product | - | diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index d0af8af62bb1..00d2ab1e7914 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -75,7 +75,7 @@ Check Point CEF extensions are mapped as follows: | deviceCustomFloatingPoint1 | update version | observer.version | - | | deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | | deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - | +.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | | email recipients number | - | checkpoint.email_recipients_num | | payload | network.bytes | - | .2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | @@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows: | update status | - | checkpoint.update_status | | peer gateway | - | checkpoint.peer_gateway | | categories | rule.category | - | -.4+| deviceCustomString6 | application name | process.name | - | +.4+| deviceCustomString6 | application name | network.application | - | | virus name | - | checkpoint.virus_name | - | malware name | - | checkpoint.malware_name | + | malware name | - | checkpoint.spyware_name | | malware family | - | checkpoint.malware_family | .5+| deviceCustomString3 | user group | group.name | - | | incident extension | - | checkpoint.incident_extension | @@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows: | vlan id | network.vlan.id | - | | authentication method | - | checkpoint.auth_method | | email session id | - | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | | deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | .2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | | destination phone number | - | checkpoint.dst_phone_number | | flexString1 | application signature id | - | checkpoint.app_sig_id | -.2+| flexString2 | malware action | event.action | - | +.2+| flexString2 | malware action | rule.description | - | | attack information | event.action | - | | rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | +| ifname | - | observer.ingress.interface.name | - | | inzone | - | observer.ingress.zone | - | | outzone | - | observer.egress.zone | - | | product | - | observer.product | - | From 964572e43b5aca20aaeaad9df4ab626bcb07b87c Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Apr 2020 16:16:22 +0200 Subject: [PATCH 09/10] Change field type from long to integer --- filebeat/docs/fields.asciidoc | 2 +- x-pack/filebeat/module/cef/fields.go | 2 +- x-pack/filebeat/module/cef/log/_meta/fields.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index bc1bddac4073..832c1316f2ce 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -4895,7 +4895,7 @@ type: keyword -- Confidence level determined. -type: long +type: integer -- diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index b5aca406c25b..3d183ec442fd 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJy8md1u8ygTx897FXMD7QXk4JVe9WMVrZ5VpHafU0Tx2GFjMyyM3WavfjWQr6dNgmtXm6PKwO8/DAPM0FvY4HYBBuvbjqq+xRsAttziAu4fn24AKowmWM+W3AL+dwMA8CN1hJoCBDRoB+sa6Q0tNRFowADP29hScwcva4TMBV1VEQZ0FYVEiR6Nra2B2mJbRbBOulgRAibgNe5b5M8KDVWoDNbgAxmMcYfxgQZbYby7gV3/Rfouv1twusOFWGrQk3V8aALgrccFNIF6f/K1wlr3LauEWkCt24i/NH/yxv73lI0Vrzwd9OC+j0wdPHMQJ3Xae+uaeDLwo82ndg829FHZ6pfGveUb3L5R+Nh2xUD5/RQiLB8ODZ//2IubNZrNf+i0e9GDVfKayV6Lv3rtbqTbtPcq2LiZ6rb/e99ao1MkCufus5M+ykUcMFjefockrwNqhj1yjLptZkSJ7NFoG6e5DwjLB3hbW7NOu06fmPWmI1TIaBgreC2a1fNadchrmmzXSscofRILHe8N8YGYDLXQR6wKZhjN2FCYvC73u/ElGXK1rdAZVC0O2J6Va8k1V7UOEEiQ5O3QWVeeJTmHhu1geasia8bJ8z0hQSIVpWljJ8stf3/cEQoyVWTl1+RQub57xTBV8AEjW5fjaLm6XQmyII2dtq0y5DjQ+YUdofvoGuswEUfJTd/NS8cYnG4zCJYPo/QCGustOo7i4Enh+0daGKAajrBR2hFjtOS+b8474Ni5R0/0jR5PuNHa/etfaHhyWGXFDCkJDuhYGerdebnx65tIEXSMZKyW6+DNcr4wJOm7bkYd8O8enZl8JD8b7Y6Ugpo1nVeCnjTl5f2PVeo6RkXy0+kqMrqkUsklyNvL8xkTrDvIqGk5kzQVvjM62VJTVZ8odJoldijYxspmqTTroj5jIymQ0oOybqANzpp7ipzMGTP9TrdvOqCqdWfbyeH6I1MgUwqSHjGoRjO+6fOC1l/XsnKtiZ9lMwoNntH04kP4LWOLFoRaFktSGdt5feFsKsX0KpBkiildOxIhE0smHMbOOJRPDNitY/lIPhGWD5PDbF/YHpNqwe1XRTNrU6opTkyZE/EvW590j7iUNEt9nVP58RZFo50KGPt28m2V9l9GlMTQRQqqu3SkjhFLCOjK5+rc2u3lS/Va9Nt0qsyLsMQYk07u5SSX7+NcwUwpSfavUeH7x5Mqi1Wfi5NPxSi+extyji7d9xtHuPuOBRPYeFW3upk84Zf7FXhtNsiQOCW9VKclk1VAHafflC9HEmRSQbr34qOZ6/tngoxb3j5imCsXMchB4MnFUgD3/fRL4PF9l5kXj/780jZnT+aXtRE7ciDrVUvNrIP9Jy1XkmynEedW7FCfY313SN9OF+y7X/Ie3zno3fvu7eFt9yh97fHurJ+MV196yLsE+dLxfj4PrUcHxoU89h9yM8a3eotBjd4IVxjz5tFSM8sEamZNodNs1mNTwrMEp1npqmLXqtC3eOmlYzRrNiRXQ3PHR2vmLSz1PC9CvQ5SJ4b8/6OpkEBVP/It5CxA5JVOae5MyKw4jflpYl5kRAyDlRpshiEDhmLR/m8AAAD//w4yRic=" + return "eJy8md1u8ygTx897FXMD7QXk4JVepe0qWnUVqd3nFFE8dtjYDAtjp9mrXwH5avMBtavNUWXg9x+GAWboPaxxOwOF9X1HVd/iHQBrbnEG86fnO4AKvXLasiYzg//dAQC8xI5QkwOHCvWgTRN6Q0uNBxrQwevWt9Q8wNsKIXFBVpWHAU1FLlK8RaVrraDW2FYetAlddBACJuAV7lvCnxUqqlAorME6Uuj9DmMdDbpC/3AHu/6z+D387sHIDmfBUoWWtOFDEwBvLc6gcdTbk68V1rJvWUTUDGrZevzUfOaN/e85GRu88nzQg3nvmTp4ZRec1ElrtWn8ycCvNp/aPWjXe6GrT417y9e43ZD72nbDwPD7FYiweDw0nP+xF1crVOv/0GnzoAfL6DWVvOY/e+2h0G3SWuG0X4912/+tbbWSMRID5+HcSV/lPA7oNG9/QpJXDiXDHlmirpsJURL2qNeNkdw7hMUjbFZareKukydmbaSHChkVYwXvWbN6XokOeUWj7VpK70OfyELDe0OsIyZFLfQeq4wZSjI25Eavy3w3PidDptYVGoWixQHbi3LaMDbobsodOBA50eGu0yY/UTIGFetB81Z4loyjp3xCgkjKStNaj5Zb/P60I2RkKs/CrsigMH33fubHYsFH9KxNCqXF8n4ZkBlp7KRuhSLDji6vbYHuk2m0wUgskhu/oReG0RnZJhAsHov0HCptNRr2wcEXtVsyzS3hP+LCANVwhBVpe/Rek/m5Oe+ApXP3lugHPR5xxdr9+1+oeHRYJcUEyQkOaFgo6s1lufL1jSQP0ntSWoYbYaM53Rkh77ttRu3w7x6NGn0qvyppjpSMmladFQE9asqL+csydi1RCSnqeJUwOqdShXuQt9fnUxKsO0jRtIyKmgI/GE3YUmNVn8l1kkPskNONDpulkiyz+oxNyIKEHIQ2A61x0txj5CROyfQ72W6kQ1HLTrejw/UlUSBRMpIW0YlGMm7kZUFtb2vpcK0FP4fNGGjwiqoPPoTfEjZrgavDYoVsRndWXjmbcjG9dBSSxZixHYmQiDkTDmMnHMonBuzWMX8knwiHD6PDbF/bHvPqgNuvimSWKldWnJgyJeLftjbqHnExbw4ldsrmyy3yShrh0Pft6Nsq7r+EyImh8eREd+1ILRGLCOjy5+rU8u3tWyWbt9t4qkyLsMgoSSf3ciGX7/1UwUTJSfbvXuDH15MqiVXnxclZPYofVruUo4fu+40TuPuOGRNYWVG3shk94bf5EqxUa2SInJxerNOiycKh9ONvyrcjCRIpI93b4KOJ6/tnhJQtb+/RTZXz6MJBYMn4XAD3/fhL4Oljl5lnj/702DZlT6bHtYIdOZC2oqVm0sH+ixbLkGzHEZdW7FCfY/1wSN9OF+ynH/OePtjJ3RPv/eF59yh96/3uop+UFd96y7sG+dbxfjkPrYsD40oe+w+ZCeNbuUUnijfCDca0ebTUTDKBmklT6CSrVWlKeJFgJAtZVWxa4foWr710FLMmQ1I1NHW812rawlLP0yLUShfqRJf+hTQW4qjqC99CLgKCvJAxzZ0ImRSnPj1NTIsMj27QoQabYMiALlu0/xsAAP//oHtHZQ==" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml index 817f499f0eff..2efcf6e1f1d5 100644 --- a/x-pack/filebeat/module/cef/log/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -37,7 +37,7 @@ description: Category. - name: confidence_level - type: long + type: integer description: Confidence level determined. - name: connectivity_state From 70d3c478b2aff5230d95b088d6b3e3068f63edd2 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 14 Apr 2020 13:02:00 +0200 Subject: [PATCH 10/10] Allow field overwrite --- filebeat/docs/fields.asciidoc | 2 +- x-pack/filebeat/module/cef/fields.go | 2 +- .../filebeat/module/cef/log/_meta/fields.yml | 44 ++++++++++++++++++- 3 files changed, 45 insertions(+), 3 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 832c1316f2ce..6c0fac860bf5 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -5066,7 +5066,7 @@ type: ip -- Protection performance impact. -type: long +type: integer -- diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index 3d183ec442fd..5e33a41c840d 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJy8md1u8ygTx897FXMD7QXk4JVepe0qWnUVqd3nFFE8dtjYDAtjp9mrXwH5avMBtavNUWXg9x+GAWboPaxxOwOF9X1HVd/iHQBrbnEG86fnO4AKvXLasiYzg//dAQC8xI5QkwOHCvWgTRN6Q0uNBxrQwevWt9Q8wNsKIXFBVpWHAU1FLlK8RaVrraDW2FYetAlddBACJuAV7lvCnxUqqlAorME6Uuj9DmMdDbpC/3AHu/6z+D387sHIDmfBUoWWtOFDEwBvLc6gcdTbk68V1rJvWUTUDGrZevzUfOaN/e85GRu88nzQg3nvmTp4ZRec1ElrtWn8ycCvNp/aPWjXe6GrT417y9e43ZD72nbDwPD7FYiweDw0nP+xF1crVOv/0GnzoAfL6DWVvOY/e+2h0G3SWuG0X4912/+tbbWSMRID5+HcSV/lPA7oNG9/QpJXDiXDHlmirpsJURL2qNeNkdw7hMUjbFZareKukydmbaSHChkVYwXvWbN6XokOeUWj7VpK70OfyELDe0OsIyZFLfQeq4wZSjI25Eavy3w3PidDptYVGoWixQHbi3LaMDbobsodOBA50eGu0yY/UTIGFetB81Z4loyjp3xCgkjKStNaj5Zb/P60I2RkKs/CrsigMH33fubHYsFH9KxNCqXF8n4ZkBlp7KRuhSLDji6vbYHuk2m0wUgskhu/oReG0RnZJhAsHov0HCptNRr2wcEXtVsyzS3hP+LCANVwhBVpe/Rek/m5Oe+ApXP3lugHPR5xxdr9+1+oeHRYJcUEyQkOaFgo6s1lufL1jSQP0ntSWoYbYaM53Rkh77ttRu3w7x6NGn0qvyppjpSMmladFQE9asqL+csydi1RCSnqeJUwOqdShXuQt9fnUxKsO0jRtIyKmgI/GE3YUmNVn8l1kkPskNONDpulkiyz+oxNyIKEHIQ2A61x0txj5CROyfQ72W6kQ1HLTrejw/UlUSBRMpIW0YlGMm7kZUFtb2vpcK0FP4fNGGjwiqoPPoTfEjZrgavDYoVsRndWXjmbcjG9dBSSxZixHYmQiDkTDmMnHMonBuzWMX8knwiHD6PDbF/bHvPqgNuvimSWKldWnJgyJeLftjbqHnExbw4ldsrmyy3yShrh0Pft6Nsq7r+EyImh8eREd+1ILRGLCOjy5+rU8u3tWyWbt9t4qkyLsMgoSSf3ciGX7/1UwUTJSfbvXuDH15MqiVXnxclZPYofVruUo4fu+40TuPuOGRNYWVG3shk94bf5EqxUa2SInJxerNOiycKh9ONvyrcjCRIpI93b4KOJ6/tnhJQtb+/RTZXz6MJBYMn4XAD3/fhL4Oljl5lnj/702DZlT6bHtYIdOZC2oqVm0sH+ixbLkGzHEZdW7FCfY/1wSN9OF+ynH/OePtjJ3RPv/eF59yh96/3uop+UFd96y7sG+dbxfjkPrYsD40oe+w+ZCeNbuUUnijfCDca0ebTUTDKBmklT6CSrVWlKeJFgJAtZVWxa4foWr710FLMmQ1I1NHW812rawlLP0yLUShfqRJf+hTQW4qjqC99CLgKCvJAxzZ0ImRSnPj1NTIsMj27QoQabYMiALlu0/xsAAP//oHtHZQ==" + return "eJy8mdtu67YShu/zFPMCyQP4YgMbORRGsQoDSdctwVAjmbXEYcmhHPfpC1I+JVFMuQqXrwxTmv/zz+FhyFvY4G4BCuvbjqrQ4g0Aa25xAfePTzcAFXrltGVNZgH/uwEA+JEehJocOFSoe22a+DS01HigHh0873xLzR28rBGGuCCrykOPpiKXoniLStdaQa2xrTxoEx/RUQiYgNd4aIlfK1RUoVBYg3Wk0Pt9GOuo1xX6uxvYP79Iv8fPLRjZ4SKSKrSkDR+bAHhncQGNo2DPfq2wlqFlkUItoJatx3fNn9w4fJ4G2OjK01EP7oNn6uCZXTSpk9Zq0/izFz8yn3P32gUvdPWu8UC+wd2W3Me2C4Dx8zNGhOXDseHzl4O4WqPa/ELT7qMerJJranDNv3ftbqJt0lrhtN9cYVtM2q3TjAtgF/CSqf+3ttVKpjyNKnefLfwI47FHp3lXHojXDiXDQXAKm26uy7AryOLo97oxkoNDWD7Adq3VOo1neQa9lR4qZFSMFbxmoQOvRYe8pkLUK+l9jJCU0PAB0zpiUtRC8FhlIJVkbMgV6vH7ffQcBJlaV2gUihZ7bEdhtGFs0M2AOapAUkld6Tpt8iaRMahY95p3wrPkjzrfZdeZDiSdLBhtdCGY5e+P+/gZiMqzsGsyKEzoXj/10DfhPKBnbYYEX65uV1EwA4ad1K1QZNjReE7Npno0jTaY9CbBlJrAlobRGdkOMrB8mETjUGmr0bCPXTdK1pJp/jvWHykhgGo4SU0i8+i9JvOr/NrLTfXNW6KRvrysP05+DWRUnYwYXv9CxYWyfuAZJHI4PRoWioIZh/muBEs6HqT3pLSMC/RW87CExw3+Zcja4d8BjSq0DD4raU4aGRatOiuicAG7lvc/VinQFIZYx5RiiLFzDFXc0vDuay/mzwJ7iUmWGJWIBL4xmjhblGF6ItdJjhlNTjc6Dv9KsszSMTZxIy1kL7TpaYMFfUv5PKhMsa6T7VY6FLXsdFtoiP0YNGDQyABZRCcaybiV4zjaziHRcYcSezBOPlELnlGF2Dvw2yCa5XN1TIO4IdadlV/M47N3xCtHsZhJNcNJEgbJHOPx3WKL9BnePoXyq98ZVvyhUP4fToRONWMUO3S5ZJYqV26fgZYbqC87m6hOYqkmBKZ9HTud1ytphEMf2kKbijSpDAI5FDSenOi+Wp/moyQB6PKLVNkDk5erDkm83aVptmTeJ4Up5c4BJlaxwZfFGTRyQOHVC3z7OLEPKNXnkv7K0yN8s9oN1WkMdpgKourhwQwgKyvqVjaFzHq5X4GVaoMMSSVHk05G0h8SDqUvtd15OenAoJMBCzb6WzSv/kwS09IqeHRlYTy6OC1aMj436EIotRQ/vu1L0ewCPFwFlJuDhouBCTNQT9qKlpqCy+tPWq5idZnijWXK8ZwO67tj3XCeKN99TfH4xk7uL69ujxdXJ+lLNxOjLiorrrql+CrIVQvleIlTT06qL0qkf8jMeL+VO3Ri8hC7EGPe/2ipmYVAzay/0ElW66lb/tEIRrKQVcWmFS60+NXJ4+RYs4MMhfbc971W8zqWAs/LUCsdmsGPGUEcVWHiweFogCgvZCo2ZgaZlad+OG2blxkeXa9jET4DpEeXPS36NwAA//+5zok/" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml index 2efcf6e1f1d5..264e15e12edf 100644 --- a/x-pack/filebeat/module/cef/log/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -18,166 +18,208 @@ fields: - name: app_risk type: keyword + overwrite: true description: Application risk. - name: app_severity type: keyword + overwrite: true description: Application threat severity. - name: app_sig_id type: keyword + overwrite: true description: The signature ID which the application was detected by. - name: auth_method type: keyword + overwrite: true description: Password authentication protocol used. - name: category type: keyword + overwrite: true description: Category. - name: confidence_level type: integer + overwrite: true description: Confidence level determined. - name: connectivity_state type: keyword + overwrite: true description: Connectivity state. - name: cookie type: keyword + overwrite: true description: IKE cookie. - name: dst_phone_number type: keyword + overwrite: true description: Destination IP-Phone. - name: email_control type: keyword + overwrite: true description: Engine name. - name: email_id type: keyword + overwrite: true description: Internal email ID. - name: email_recipients_num type: long + overwrite: true description: Number of recipients. - name: email_session_id type: keyword + overwrite: true description: Internal email session ID. - name: email_spool_id + overwrite: true type: keyword + description: Internal email spool ID. - name: email_subject type: keyword + overwrite: true description: Email subject. - name: event_count type: long + overwrite: true description: Number of events associated with the log. - name: frequency type: keyword + overwrite: true description: Scan frequency. - name: icmp_type type: long + overwrite: true description: ICMP type. - name: icmp_code type: long + overwrite: true description: ICMP code. - name: identity_type type: keyword + overwrite: true description: Identity type. - name: incident_extension type: keyword + overwrite: true description: Format of original data. - name: integrity_av_invoke_type type: keyword + overwrite: true description: Scan invoke type. - name: malware_family type: keyword + overwrite: true description: Malware family. - name: peer_gateway type: ip + overwrite: true description: Main IP of the peer Security Gateway. - name: performance_impact - type: long + type: integer + overwrite: true description: Protection performance impact. - name: protection_id type: keyword + overwrite: true description: Protection malware ID. - name: protection_name type: keyword + overwrite: true description: Specific signature name of the attack. - name: protection_type type: keyword + overwrite: true description: Type of protection used to detect the attack. - name: scan_result type: keyword + overwrite: true description: Scan result. - name: sensor_mode type: keyword + overwrite: true description: Sensor mode. - name: severity type: keyword + overwrite: true description: Threat severity. - name: spyware_name type: keyword + overwrite: true description: Spyware name. - name: spyware_status type: keyword + overwrite: true description: Spyware status. - name: subs_exp type: date + overwrite: true description: The expiration date of the subscription. - name: tcp_flags type: keyword + overwrite: true description: TCP packet flags. - name: termination_reason type: keyword + overwrite: true description: Termination reason. - name: update_status type: keyword + overwrite: true description: Update status. - name: user_status type: keyword + overwrite: true description: User response. - name: uuid type: keyword + overwrite: true description: External ID. - name: virus_name type: keyword + overwrite: true description: Virus name. - name: voip_log_type type: keyword + overwrite: true description: VoIP log types. - name: cef.extensions