Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CEF CheckPoint: adjust fields for forward compatibility #17681

Merged
merged 10 commits into from
Apr 14, 2020
Merged

CEF CheckPoint: adjust fields for forward compatibility #17681

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9ceb936
File.hash: Remove custom field, support sha256
adriansr Apr 2, 2020
111d1ed
Typo? field requestCookies
adriansr Apr 2, 2020
a5267b9
Adjust custom checkpoint fields
adriansr Apr 3, 2020
903930c
Replace malware_name with spyware_name
adriansr Apr 3, 2020
94c57c6
Map malware_action to rule.description
adriansr Apr 6, 2020
a25b7a3
Some more adjustments
adriansr Apr 13, 2020
c6e45f4
Update docs
adriansr Apr 13, 2020
5a64ee7
Missing docs changes
adriansr Apr 13, 2020
964572e
Change field type from long to integer
adriansr Apr 13, 2020
70d3c47
Allow field overwrite
adriansr Apr 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 23 additions & 32 deletions filebeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4895,7 +4895,7 @@ type: keyword
--
Confidence level determined.

type: keyword
type: integer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is is this already a number in the event produced by the beat? Looks like it should be since it comes from deviceFlexNumber1 which is a long from the cef processor.


--

Expand Down Expand Up @@ -4989,15 +4989,6 @@ type: long

--

*`checkpoint.file_hash`*::
+
--
File hash (SHA1 or MD5).

type: keyword

--

*`checkpoint.frequency`*::
+
--
Expand Down Expand Up @@ -5052,6 +5043,15 @@ type: keyword

--

*`checkpoint.malware_family`*::
+
--
Malware family.

type: keyword

--

*`checkpoint.peer_gateway`*::
+
--
Expand All @@ -5066,7 +5066,7 @@ type: ip
--
Protection performance impact.

type: keyword
type: integer

--

Expand Down Expand Up @@ -5124,16 +5124,25 @@ type: keyword

--

*`checkpoint.malware_status`*::
*`checkpoint.spyware_name`*::
+
--
Malware status.
Spyware name.

type: keyword

--

*`checkpoint.subscription_expiration`*::
*`checkpoint.spyware_status`*::
+
--
Spyware status.

type: keyword

--

*`checkpoint.subs_exp`*::
+
--
The expiration date of the subscription.
Expand Down Expand Up @@ -5196,24 +5205,6 @@ type: keyword

--

*`checkpoint.malware_name`*::
+
--
Malware name.

type: keyword

--

*`checkpoint.malware_family`*::
+
--
Malware family.

type: keyword

--

*`checkpoint.voip_log_type`*::
+
--
Expand Down
16 changes: 8 additions & 8 deletions filebeat/docs/modules/cef.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,17 +70,17 @@ Check Point CEF extensions are mapped as follows:
| deviceInboundInterface | - | observer.ingress.interface.name | - |
| deviceOutboundInterface | - | observer.egress.interface.name | - |
| externalId | - | - | checkpoint.uuid |
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
| fileHash | - | file.hash.{md5,sha1} | - |
| reason | - | - | checkpoint.termination_reason |
| checkrequestCookies | - | - | checkpoint.cookie |
| requestCookies | - | - | checkpoint.cookie |
| sourceNtDomain | - | dns.question.name | - |
| Signature | - | vulnerability.id | - |
| Recipient | - | destination.user.email | - |
| Sender | - | source.user.email | - |
| deviceCustomFloatingPoint1 | update version | observer.version | - |
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
| email recipients number | - | checkpoint.email_recipients_num |
| payload | network.bytes | - |
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
Expand All @@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows:
| update status | - | checkpoint.update_status |
| peer gateway | - | checkpoint.peer_gateway |
| categories | rule.category | - |
.4+| deviceCustomString6 | application name | process.name | - |
.4+| deviceCustomString6 | application name | network.application | - |
| virus name | - | checkpoint.virus_name |
| malware name | - | checkpoint.malware_name |
| malware name | - | checkpoint.spyware_name |
| malware family | - | checkpoint.malware_family |
.5+| deviceCustomString3 | user group | group.name | - |
| incident extension | - | checkpoint.incident_extension |
Expand All @@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows:
| vlan id | network.vlan.id | - |
| authentication method | - | checkpoint.auth_method |
| email session id | - | checkpoint.email_session_id |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
| destination phone number | - | checkpoint.dst_phone_number |
| flexString1 | application signature id | - | checkpoint.app_sig_id |
.2+| flexString2 | malware action | event.action | - |
.2+| flexString2 | malware action | rule.description | - |
| attack information | event.action | - |
| rule_uid | - | rule.uuid | - |
| ifname | - | observer.ingress.interface.name | - |
| ifname | - | observer.ingress.interface.name | - |
| inzone | - | observer.ingress.zone | - |
| outzone | - | observer.egress.zone | - |
| product | - | observer.product | - |
Expand Down
16 changes: 8 additions & 8 deletions x-pack/filebeat/module/cef/_meta/docs.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,17 +65,17 @@ Check Point CEF extensions are mapped as follows:
| deviceInboundInterface | - | observer.ingress.interface.name | - |
| deviceOutboundInterface | - | observer.egress.interface.name | - |
| externalId | - | - | checkpoint.uuid |
| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
| fileHash | - | file.hash.{md5,sha1} | - |
| reason | - | - | checkpoint.termination_reason |
| checkrequestCookies | - | - | checkpoint.cookie |
| requestCookies | - | - | checkpoint.cookie |
| sourceNtDomain | - | dns.question.name | - |
| Signature | - | vulnerability.id | - |
| Recipient | - | destination.user.email | - |
| Sender | - | source.user.email | - |
| deviceCustomFloatingPoint1 | update version | observer.version | - |
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
| email recipients number | - | checkpoint.email_recipients_num |
| payload | network.bytes | - |
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
Expand All @@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows:
| update status | - | checkpoint.update_status |
| peer gateway | - | checkpoint.peer_gateway |
| categories | rule.category | - |
.4+| deviceCustomString6 | application name | process.name | - |
.4+| deviceCustomString6 | application name | network.application | - |
| virus name | - | checkpoint.virus_name |
| malware name | - | checkpoint.malware_name |
| malware name | - | checkpoint.spyware_name |
| malware family | - | checkpoint.malware_family |
.5+| deviceCustomString3 | user group | group.name | - |
| incident extension | - | checkpoint.incident_extension |
Expand All @@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows:
| vlan id | network.vlan.id | - |
| authentication method | - | checkpoint.auth_method |
| email session id | - | checkpoint.email_session_id |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
| destination phone number | - | checkpoint.dst_phone_number |
| flexString1 | application signature id | - | checkpoint.app_sig_id |
.2+| flexString2 | malware action | event.action | - |
.2+| flexString2 | malware action | rule.description | - |
| attack information | event.action | - |
| rule_uid | - | rule.uuid | - |
| ifname | - | observer.ingress.interface.name | - |
| ifname | - | observer.ingress.interface.name | - |
| inzone | - | observer.ingress.zone | - |
| outzone | - | observer.egress.zone | - |
| product | - | observer.product | - |
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cef/fields.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading