From 82b8fe6064e067c34c60cc37696e831f98a3323f Mon Sep 17 00:00:00 2001
From: Lee Hinman <57081003+leehinman@users.noreply.github.com>
Date: Wed, 5 Feb 2020 09:28:55 -0600
Subject: [PATCH] [Filebeat] Add CustomString mapping to CEF for Forcepoint
 NGFW (#15910)

* Add CustomString mapping to CEF for Forcepoint NGFW

Closes #14663
---
 CHANGELOG.next.asciidoc                       |   1 +
 filebeat/docs/fields.asciidoc                 |  20 +-
 filebeat/docs/modules/cef.asciidoc            |  14 +
 .../filebeat/module/cef/_meta/docs.asciidoc   |  14 +
 x-pack/filebeat/module/cef/_meta/fields.yml   |   5 +-
 x-pack/filebeat/module/cef/fields.go          |   2 +-
 .../filebeat/module/cef/log/_meta/fields.yml  |  10 +
 .../module/cef/log/ingest/fp-pipeline.yml     |  27 ++
 .../module/cef/log/ingest/pipeline.yml        |   4 +-
 x-pack/filebeat/module/cef/log/manifest.yml   |   5 +-
 .../module/cef/log/test/fp-ngfw-smc.log       |  13 +
 .../log/test/fp-ngfw-smc.log-expected.json    | 398 ++++++++++++++++++
 12 files changed, 507 insertions(+), 6 deletions(-)
 create mode 100644 x-pack/filebeat/module/cef/log/_meta/fields.yml
 create mode 100644 x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml
 create mode 100644 x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log
 create mode 100644 x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 88c4ddcea99f..31cba771a2f4 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -107,6 +107,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add dashboard for AWS ELB fileset. {pull}15804[15804]
 - Add dashboard for AWS vpcflow fileset. {pull}16007[16007]
 - Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936]
+- Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910]
 
 *Heartbeat*
 
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index 98dc6ff13e37..701eded16af5 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -4655,9 +4655,27 @@ type: keyword
 [[exported-fields-cef-module]]
 == CEF fields
 
-Module for receiving CEF logs over Syslog. The module does not add fields beyond what the decode_cef processor provides.
+Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides.
 
 
+
+[float]
+=== forcepoint
+
+Fields for Forcepoint Custom String mappings
+
+
+
+*`forcepoint.virus_id`*::
++
+--
+Virus ID
+
+
+type: keyword
+
+--
+
 [[exported-fields-cisco]]
 == Cisco fields
 
diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc
index 8d77f1478530..97c0469daa5d 100644
--- a/filebeat/docs/modules/cef.asciidoc
+++ b/filebeat/docs/modules/cef.asciidoc
@@ -40,6 +40,19 @@ The UDP port to listen for syslog traffic. Defaults to `9003`
 
 NOTE: Ports below 1024 require Filebeat to run as root.
 
+[float]
+==== Forcepoint NGFW Security Management Center
+
+This module will process CEF data from Forcepoint NGFW Security
+Management Center (SMC).  In the SMC configure the logs to be
+forwarded to the address set in `var.syslog_host` in format CEF and
+service UDP on `var.syslog_port`.  Instructions can be found in
+https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for
+configuring the SMC.  Testing was done with CEF logs from SMC version
+6.6.1 and custom string mappings were taken from 'CEF Connector
+Configuration Guide' dated December 5, 2011.
+
+
 :has-dashboards!:
 
 :fileset_ex!:
@@ -47,6 +60,7 @@ NOTE: Ports below 1024 require Filebeat to run as root.
 :modulename!:
 
 
+
 [float]
 === Fields
 
diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc
index 89b63cc88bd4..19b2f5eb1b32 100644
--- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc
@@ -35,8 +35,22 @@ The UDP port to listen for syslog traffic. Defaults to `9003`
 
 NOTE: Ports below 1024 require Filebeat to run as root.
 
+[float]
+==== Forcepoint NGFW Security Management Center
+
+This module will process CEF data from Forcepoint NGFW Security
+Management Center (SMC).  In the SMC configure the logs to be
+forwarded to the address set in `var.syslog_host` in format CEF and
+service UDP on `var.syslog_port`.  Instructions can be found in
+https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for
+configuring the SMC.  Testing was done with CEF logs from SMC version
+6.6.1 and custom string mappings were taken from 'CEF Connector
+Configuration Guide' dated December 5, 2011.
+
+
 :has-dashboards!:
 
 :fileset_ex!:
 
 :modulename!:
+
diff --git a/x-pack/filebeat/module/cef/_meta/fields.yml b/x-pack/filebeat/module/cef/_meta/fields.yml
index 6cd823e6bb84..1ea96f71d81f 100644
--- a/x-pack/filebeat/module/cef/_meta/fields.yml
+++ b/x-pack/filebeat/module/cef/_meta/fields.yml
@@ -1,6 +1,7 @@
 - key: cef-module
   title: CEF
   description: >
-    Module for receiving CEF logs over Syslog. The module does not add fields
-    beyond what the decode_cef processor provides.
+    Module for receiving CEF logs over Syslog. The module adds vendor
+    specific fields in addition to the fields the decode_cef processor
+    provides.
   fields:
diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go
index 194c5dbe9185..19312fd7acaf 100644
--- a/x-pack/filebeat/module/cef/fields.go
+++ b/x-pack/filebeat/module/cef/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetCef returns asset data.
 // This is the base64 encoded gzipped contents of module/cef.
 func AssetCef() string {
-	return "eJwszDEOwjAQRNHep5gLJAdwQYOgo4IeBe84sTDeyGuCcnuUQDfFn9fhydUjMHYvlXemA1pqmR7H09kBQgs1zS1p8Tg4ALjsIaJWVAamJZVxq5F1NOjCiutqWccet4n4uRCloWjDIIKYmMV27cFVi+AzDQ1tIoRBhffAiLlqoJnWbS1JaL3D/+vdNwAA//95Jj6g"
+	return "eJx8kMFq8zAQhO9+inmB5AF0+C/5a+ihp5RejZFWzhJZK7Syi9++yImDk0L3JHZGsx9zwJUWA0v+MIqbAjVA4RLI4PTWNoAjtZlTYYkG/xoA+FiN8JKRyRLPHIfqRpBBITNlnBcNMhzxeSHcctE7p5gpOslriiay7NnCMwWn4FgtXA+hCMqFNqU+HVlx1FnySFksqd5jUpaZHemxwd1v1n2dA2I/kqmklpJwLA8JKEsigyHLlHZbR76fQunWKAPfB6Un+Vcb27Q32NpK+7iH06RFRpxLriWNfUocB919fGXec8+cJ+3YPYkb+ZWWb8mv2h+Adb5qIt7/Nz8BAAD//0k3k/4="
 }
diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml
new file mode 100644
index 000000000000..0d24bf8458f9
--- /dev/null
+++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml
@@ -0,0 +1,10 @@
+- name: forcepoint
+  type: group
+  default_field: false
+  description: >
+    Fields for Forcepoint Custom String mappings
+  fields:
+    - name: virus_id
+      type: keyword
+      description: >
+        Virus ID
diff --git a/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml
new file mode 100644
index 000000000000..3fe032c00fba
--- /dev/null
+++ b/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml
@@ -0,0 +1,27 @@
+---
+description: Pipeline for Forcepoint CEF
+
+processors:
+  # cs1 is ruleID
+  - set:
+      field: rule.id
+      value: "{{cef.extensions.deviceCustomString1}}"
+      if: "ctx.cef?.extensions?.deviceCustomString1 != null"
+
+  # cs2 is natRuleID
+  - set:
+      field: rule.id
+      value: "{{cef.extensions.deviceCustomString2}}"
+      if: "ctx.cef?.extensions?.deviceCustomString2 != null"
+
+  # cs3 is VulnerabilityReference
+  - set:
+      field: vulnerability.reference
+      value: "{{cef.extensions.deviceCustomString3}}"
+      if: "ctx.cef?.extensions?.deviceCustomString3 != null"
+
+  # cs4 is virusID
+  - set:
+      field: cef.forcepoint.virus_id
+      value: "{{cef.extensions.deviceCustomString4}}"
+      if: "ctx.cef?.extensions?.deviceCustomString4 != null"            
diff --git a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml
index fd520132cca9..2600dbeec08c 100644
--- a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml
@@ -45,7 +45,9 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
-
+  - pipeline:
+        name: '{< IngestPipeline "fp-pipeline" >}'
+        if: "ctx.cef?.device?.vendor == 'FORCEPOINT'"
 on_failure:
   - set:
         field: error.message
diff --git a/x-pack/filebeat/module/cef/log/manifest.yml b/x-pack/filebeat/module/cef/log/manifest.yml
index 049b963a4aae..670a3188a4ef 100644
--- a/x-pack/filebeat/module/cef/log/manifest.yml
+++ b/x-pack/filebeat/module/cef/log/manifest.yml
@@ -13,7 +13,10 @@ var:
   - name: input
     default: syslog
 
-ingest_pipeline: ingest/pipeline.yml
+ingest_pipeline:
+  - ingest/pipeline.yml
+  - ingest/fp-pipeline.yml
+
 input: config/input.yml
 
 requires.processors:
diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log
new file mode 100644
index 000000000000..a7ce1c7bbc6d
--- /dev/null
+++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log
@@ -0,0 +1,13 @@
+CEF:0|FORCEPOINT|Firewall|6.6.1|0|Generic|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=log server connection established deviceFacility=Logging System rt=Jan 17 2020 08:52:10
+CEF:0|FORCEPOINT|Firewall|6.6.1|9005|FW_Communication-Communication-Error|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=Communication error: No route to host (-3, 5, 0) deviceFacility=Management rt=Jan 17 2020 08:52:09
+CEF:0|FORCEPOINT|Firewall|6.6.1|70018|Connection_Allowed|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 src=10.37.205.252 dst=10.1.1.40 proto=1 deviceOutboundInterface=255 act=Allow msg=Referred connection: 10.1.1.40 -> 10.37.133.35 frag\=0x4000 TCP 47413->3020 deviceFacility=Packet Filtering rt=Jan 17 2020 08:52:09 app=Dest. Unreachable (Host Unreachable) cs1Label=RuleID cs1=2097157.1
+CEF:0|FORCEPOINT|Firewall|unknown|70019|Connection_Discarded|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=172.16.1.1 dst=255.255.255.255 spt=68 dpt=67 proto=17 deviceOutboundInterface=255 deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:21 app=BOOTPS (UDP) cs1Label=RuleID cs1=605.0
+CEF:0|FORCEPOINT|Firewall|unknown|70020|Connection_Refused|0|deviceExternalId=Firewall-1 node 1 dvc=10.1.1.1 dvchost=10.1.1.1 src=172.16.1.1 dst=192.168.1.1 proto=1 deviceOutboundInterface=255 act=Refuse deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:23 app=Echo Request (No Code) cs1Label=RuleID cs1=601.0
+CEF:0|FORCEPOINT|Firewall|unknown|70021|Connection_Closed|0|deviceExternalId=Firewall-6 node 1 dvc=10.1.1.6 dvchost=10.1.1.6 proto=6 deviceOutboundInterface=255 destinationServiceName=YouTube suser=alice deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:20 app=TCP in=32526 out=27366
+CEF:0|FORCEPOINT|Firewall|unknown|72714|ECA_Metadata_login|0|deviceExternalId=Firewall-3 node 1 dvc=10.1.1.3 dvchost=10.1.1.3 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:33
+CEF:0|FORCEPOINT|Firewall|unknown|72715|ECA_Metadata_logout|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:31
+CEF:0|FORCEPOINT|Firewall|unknown|72716|ECA_Metadata_system_metadata_received|0|deviceExternalId=Firewall-8 node 1 dvc=10.1.1.8 dvchost=10.1.1.8 src=172.16.2.1 suser=alice deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:26
+CEF:0|FORCEPOINT|Firewall|6.6.1|78002|TLS connection state|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=TLS: Couldn't establish TLS connection (11, N/A) deviceFacility=Management rt=Jan 17 2020 08:52:09
+
+
+
diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json
new file mode 100644
index 000000000000..b421822914d2
--- /dev/null
+++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json
@@ -0,0 +1,398 @@
+[
+    {
+        "cef.device.event_class_id": "0",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "6.6.1",
+        "cef.extensions.deviceAddress": "10.1.1.40",
+        "cef.extensions.deviceExternalId": "Master FW node 1",
+        "cef.extensions.deviceFacility": "Logging System",
+        "cef.extensions.deviceHostName": "10.1.1.40",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:10.000Z",
+        "cef.extensions.message": "log server connection established",
+        "cef.name": "Generic",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "event.code": "0",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|0|Generic|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=log server connection established deviceFacility=Logging System rt=Jan 17 2020 08:52:10",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 0,
+        "message": "log server connection established",
+        "observer.hostname": "10.1.1.40",
+        "observer.ip": "10.1.1.40",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "6.6.1",
+        "service.type": "cef",
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "9005",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "6.6.1",
+        "cef.extensions.deviceAddress": "10.1.1.40",
+        "cef.extensions.deviceExternalId": "Master FW node 1",
+        "cef.extensions.deviceFacility": "Management",
+        "cef.extensions.deviceHostName": "10.1.1.40",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z",
+        "cef.extensions.message": "Communication error: No route to host (-3, 5, 0)",
+        "cef.name": "FW_Communication-Communication-Error",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "event.code": "9005",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|9005|FW_Communication-Communication-Error|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=Communication error: No route to host (-3, 5, 0) deviceFacility=Management rt=Jan 17 2020 08:52:09",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 202,
+        "message": "Communication error: No route to host (-3, 5, 0)",
+        "observer.hostname": "10.1.1.40",
+        "observer.ip": "10.1.1.40",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "6.6.1",
+        "service.type": "cef",
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "70018",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "6.6.1",
+        "cef.extensions.applicationProtocol": "Dest. Unreachable (Host Unreachable)",
+        "cef.extensions.destinationAddress": "10.1.1.40",
+        "cef.extensions.deviceAction": "Allow",
+        "cef.extensions.deviceAddress": "10.1.1.40",
+        "cef.extensions.deviceCustomString1": "2097157.1",
+        "cef.extensions.deviceCustomString1Label": "RuleID",
+        "cef.extensions.deviceExternalId": "Master FW node 1",
+        "cef.extensions.deviceFacility": "Packet Filtering",
+        "cef.extensions.deviceHostName": "10.1.1.40",
+        "cef.extensions.deviceOutboundInterface": "255",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z",
+        "cef.extensions.message": "Referred connection: 10.1.1.40 -> 10.37.133.35 frag=0x4000 TCP 47413->3020",
+        "cef.extensions.sourceAddress": "10.37.205.252",
+        "cef.extensions.transportProtocol": "1",
+        "cef.name": "Connection_Allowed",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "destination.ip": "10.1.1.40",
+        "event.action": "Allow",
+        "event.code": "70018",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|70018|Connection_Allowed|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 src=10.37.205.252 dst=10.1.1.40 proto=1 deviceOutboundInterface=255 act=Allow msg=Referred connection: 10.1.1.40 -> 10.37.133.35 frag\\=0x4000 TCP 47413->3020 deviceFacility=Packet Filtering rt=Jan 17 2020 08:52:09 app=Dest. Unreachable (Host Unreachable) cs1Label=RuleID cs1=2097157.1",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 447,
+        "message": "Referred connection: 10.1.1.40 -> 10.37.133.35 frag=0x4000 TCP 47413->3020",
+        "network.application": "Dest. Unreachable (Host Unreachable)",
+        "network.community_id": "1:jVNka6fvdh9Qms3nSigb93hGP6U=",
+        "network.transport": "1",
+        "observer.hostname": "10.1.1.40",
+        "observer.ip": "10.1.1.40",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "6.6.1",
+        "rule.id": "2097157.1",
+        "service.type": "cef",
+        "source.ip": "10.37.205.252",
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "70019",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "unknown",
+        "cef.extensions.applicationProtocol": "BOOTPS (UDP)",
+        "cef.extensions.destinationAddress": "255.255.255.255",
+        "cef.extensions.destinationPort": 67,
+        "cef.extensions.deviceAddress": "10.1.1.10",
+        "cef.extensions.deviceCustomString1": "605.0",
+        "cef.extensions.deviceCustomString1Label": "RuleID",
+        "cef.extensions.deviceExternalId": "Firewall-10 node 1",
+        "cef.extensions.deviceFacility": "Packet Filtering",
+        "cef.extensions.deviceHostName": "10.1.1.10",
+        "cef.extensions.deviceOutboundInterface": "255",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:21.000Z",
+        "cef.extensions.sourceAddress": "172.16.1.1",
+        "cef.extensions.sourcePort": 68,
+        "cef.extensions.transportProtocol": "17",
+        "cef.name": "Connection_Discarded",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "destination.ip": "255.255.255.255",
+        "destination.port": 67,
+        "event.code": "70019",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70019|Connection_Discarded|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=172.16.1.1 dst=255.255.255.255 spt=68 dpt=67 proto=17 deviceOutboundInterface=255 deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:21 app=BOOTPS (UDP) cs1Label=RuleID cs1=605.0",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 857,
+        "message": "Connection_Discarded",
+        "network.application": "BOOTPS (UDP)",
+        "network.community_id": "1:gRGAPcxUiQY+cM2V/f6dU0AJnuI=",
+        "network.transport": "17",
+        "observer.hostname": "10.1.1.10",
+        "observer.ip": "10.1.1.10",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "unknown",
+        "rule.id": "605.0",
+        "service.type": "cef",
+        "source.ip": "172.16.1.1",
+        "source.port": 68,
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "70020",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "unknown",
+        "cef.extensions.applicationProtocol": "Echo Request (No Code)",
+        "cef.extensions.destinationAddress": "192.168.1.1",
+        "cef.extensions.deviceAction": "Refuse",
+        "cef.extensions.deviceAddress": "10.1.1.1",
+        "cef.extensions.deviceCustomString1": "601.0",
+        "cef.extensions.deviceCustomString1Label": "RuleID",
+        "cef.extensions.deviceExternalId": "Firewall-1 node 1",
+        "cef.extensions.deviceFacility": "Packet Filtering",
+        "cef.extensions.deviceHostName": "10.1.1.1",
+        "cef.extensions.deviceOutboundInterface": "255",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:23.000Z",
+        "cef.extensions.sourceAddress": "172.16.1.1",
+        "cef.extensions.transportProtocol": "1",
+        "cef.name": "Connection_Refused",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "destination.ip": "192.168.1.1",
+        "event.action": "Refuse",
+        "event.code": "70020",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70020|Connection_Refused|0|deviceExternalId=Firewall-1 node 1 dvc=10.1.1.1 dvchost=10.1.1.1 src=172.16.1.1 dst=192.168.1.1 proto=1 deviceOutboundInterface=255 act=Refuse deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:23 app=Echo Request (No Code) cs1Label=RuleID cs1=601.0",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1173,
+        "message": "Connection_Refused",
+        "network.application": "Echo Request (No Code)",
+        "network.community_id": "1:rdTu3DxOTXebXEr+rcV80Pk9a1s=",
+        "network.transport": "1",
+        "observer.hostname": "10.1.1.1",
+        "observer.ip": "10.1.1.1",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "unknown",
+        "rule.id": "601.0",
+        "service.type": "cef",
+        "source.ip": "172.16.1.1",
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "70021",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "unknown",
+        "cef.extensions.applicationProtocol": "TCP",
+        "cef.extensions.bytesIn": 32526,
+        "cef.extensions.bytesOut": 27366,
+        "cef.extensions.destinationServiceName": "YouTube",
+        "cef.extensions.deviceAddress": "10.1.1.6",
+        "cef.extensions.deviceExternalId": "Firewall-6 node 1",
+        "cef.extensions.deviceFacility": "Packet Filtering",
+        "cef.extensions.deviceHostName": "10.1.1.6",
+        "cef.extensions.deviceOutboundInterface": "255",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:20.000Z",
+        "cef.extensions.sourceUserName": "alice",
+        "cef.extensions.transportProtocol": "6",
+        "cef.name": "Connection_Closed",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "destination.bytes": 27366,
+        "destination.service.name": "YouTube",
+        "event.code": "70021",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70021|Connection_Closed|0|deviceExternalId=Firewall-6 node 1 dvc=10.1.1.6 dvchost=10.1.1.6 proto=6 deviceOutboundInterface=255 destinationServiceName=YouTube suser=alice deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:20 app=TCP in=32526 out=27366",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1486,
+        "message": "Connection_Closed",
+        "network.application": "TCP",
+        "network.transport": "6",
+        "observer.hostname": "10.1.1.6",
+        "observer.ip": "10.1.1.6",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "unknown",
+        "service.type": "cef",
+        "source.bytes": 32526,
+        "source.user.name": "alice",
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "72714",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "unknown",
+        "cef.extensions.deviceAddress": "10.1.1.3",
+        "cef.extensions.deviceExternalId": "Firewall-3 node 1",
+        "cef.extensions.deviceFacility": "Endpoint Context Agent",
+        "cef.extensions.deviceHostName": "10.1.1.3",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:33.000Z",
+        "cef.extensions.sourceAddress": "192.168.1.1",
+        "cef.extensions.sourceUserName": "bob",
+        "cef.name": "ECA_Metadata_login",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "event.code": "72714",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72714|ECA_Metadata_login|0|deviceExternalId=Firewall-3 node 1 dvc=10.1.1.3 dvchost=10.1.1.3 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:33",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1773,
+        "message": "ECA_Metadata_login",
+        "observer.hostname": "10.1.1.3",
+        "observer.ip": "10.1.1.3",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "unknown",
+        "service.type": "cef",
+        "source.ip": "192.168.1.1",
+        "source.user.name": "bob",
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "72715",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "unknown",
+        "cef.extensions.deviceAddress": "10.1.1.10",
+        "cef.extensions.deviceExternalId": "Firewall-10 node 1",
+        "cef.extensions.deviceFacility": "Endpoint Context Agent",
+        "cef.extensions.deviceHostName": "10.1.1.10",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:31.000Z",
+        "cef.extensions.sourceAddress": "192.168.1.1",
+        "cef.extensions.sourceUserName": "bob",
+        "cef.name": "ECA_Metadata_logout",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "event.code": "72715",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72715|ECA_Metadata_logout|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:31",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1987,
+        "message": "ECA_Metadata_logout",
+        "observer.hostname": "10.1.1.10",
+        "observer.ip": "10.1.1.10",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "unknown",
+        "service.type": "cef",
+        "source.ip": "192.168.1.1",
+        "source.user.name": "bob",
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "72716",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "unknown",
+        "cef.extensions.deviceAddress": "10.1.1.8",
+        "cef.extensions.deviceExternalId": "Firewall-8 node 1",
+        "cef.extensions.deviceFacility": "Endpoint Context Agent",
+        "cef.extensions.deviceHostName": "10.1.1.8",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:26.000Z",
+        "cef.extensions.sourceAddress": "172.16.2.1",
+        "cef.extensions.sourceUserName": "alice",
+        "cef.name": "ECA_Metadata_system_metadata_received",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "event.code": "72716",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72716|ECA_Metadata_system_metadata_received|0|deviceExternalId=Firewall-8 node 1 dvc=10.1.1.8 dvchost=10.1.1.8 src=172.16.2.1 suser=alice deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:26",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2205,
+        "message": "ECA_Metadata_system_metadata_received",
+        "observer.hostname": "10.1.1.8",
+        "observer.ip": "10.1.1.8",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "unknown",
+        "service.type": "cef",
+        "source.ip": "172.16.2.1",
+        "source.user.name": "alice",
+        "tags": [
+            "cef"
+        ]
+    },
+    {
+        "cef.device.event_class_id": "78002",
+        "cef.device.product": "Firewall",
+        "cef.device.vendor": "FORCEPOINT",
+        "cef.device.version": "6.6.1",
+        "cef.extensions.deviceAddress": "10.1.1.40",
+        "cef.extensions.deviceExternalId": "Master FW node 1",
+        "cef.extensions.deviceFacility": "Management",
+        "cef.extensions.deviceHostName": "10.1.1.40",
+        "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z",
+        "cef.extensions.message": "TLS: Couldn't establish TLS connection (11, N/A)",
+        "cef.name": "TLS connection state",
+        "cef.severity": "0",
+        "cef.version": "0",
+        "event.code": "78002",
+        "event.dataset": "cef.log",
+        "event.module": "cef",
+        "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|78002|TLS connection state|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=TLS: Couldn't establish TLS connection (11, N/A) deviceFacility=Management rt=Jan 17 2020 08:52:09",
+        "event.severity": 0,
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2439,
+        "message": "TLS: Couldn't establish TLS connection (11, N/A)",
+        "observer.hostname": "10.1.1.40",
+        "observer.ip": "10.1.1.40",
+        "observer.product": "Firewall",
+        "observer.vendor": "FORCEPOINT",
+        "observer.version": "6.6.1",
+        "service.type": "cef",
+        "tags": [
+            "cef"
+        ]
+    }
+]
\ No newline at end of file