From e245358feb66da4cc3aa1af5ffceb31f3bd334b0 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Thu, 11 Jan 2024 10:06:59 +0100 Subject: [PATCH] Improve authentication normalization --- packages/checkpoint/changelog.yml | 5 + .../test-checkpoint-authentication.log | 12 + ...heckpoint-authentication.log-expected.json | 718 ++++++++++++++++++ ...est-checkpoint-with-time.log-expected.json | 10 +- .../test/pipeline/test-r80x.log-expected.json | 11 +- .../test/pipeline/test-r81x.log-expected.json | 91 ++- .../elasticsearch/ingest_pipeline/default.yml | 143 +++- .../data_stream/firewall/fields/ecs.yml | 14 + .../data_stream/firewall/fields/fields.yml | 8 + packages/checkpoint/docs/README.md | 10 + packages/checkpoint/manifest.yml | 2 +- 11 files changed, 984 insertions(+), 40 deletions(-) create mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log create mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log-expected.json diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 787ecd460556..8d25bd6d1dd5 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.30.0 + changes: + - description: Improve authentication logs normalization. + type: enhancement + link: https://github.com/elastic/integrations/pull/8884 - version: "1.29.1" changes: - description: Fix exclude_files pattern. diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log new file mode 100644 index 000000000000..06438860f698 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log @@ -0,0 +1,12 @@ +<134>1 2023-12-29T14:20:02Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658ed593,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703859602"; version:"5"; additional_info:"login by localhost"; administrator:"WEB_API"; client_ip:"192.168.1.153"; operation:"Log In"; product:"WEB_API"; sendtotrackerasadvancedauditlog:"0"; subject:"Administrator Login"] +<134>1 2023-12-29T14:03:03Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658ed198,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703858583"; version:"5"; additional_info:"Authentication method: Active Directory"; administrator:"User (Example)"; client_ip:"127.0.0.1"; machine:"localhost"; operation:"Log In"; operation_number:"10"; product:"WEB_API"; subject:"Administrator Login"] +<134>1 2023-12-29T08:42:55Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658e8690,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703839375"; version:"5"; additional_info:"Authentication method: radius"; administrator:"mario.rossi@example.org"; client_ip:"10.16.10.27"; machine:"desktop0001.example.local"; operation:"Log In"; operation_number:"10"; product:"SmartConsole"; subject:"Administrator Login"] +<134>1 2023-12-15T11:52:02Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x657c3de4,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1702641122"; version:"5"; additional_info:"Authentication method: radius"; administrator:"i.biachi@customer.com"; client_ip:"172.28.11.213"; machine:"relay599.rdnssender.com"; operation:"Log In"; operation_number:"10"; product:"SmartConsole"; subject:"Administrator Login"] +<134>1 2023-12-27T09:39:55Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658bf0ed,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703669995"; version:"5"; additional_info:"Administrator failed to log in: Wrong Password"; administrator:"i.biachi@customer.com"; audit_status:"Failure"; client_ip:"172.28.11.213"; machine:"relay599.rdnssender.com"; operation:"Log In"; operation_number:"11"; product:"SmartConsole"; subject:"Administrator Login"] +<134>1 2023-12-28T08:03:28Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658d2bd2,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703750608"; version:"5"; additional_info:"Administrator failed to log in: SIC Error for gettopo: Server could not find authentication method for service gettopo. Peer is: "; audit_status:"Failure"; client_ip:"172.28.11.213"; operation:"Log In"; operation_number:"11"; product:"Unknown"; subject:"Administrator Login"] +<134>1 2023-12-21T10:41:20Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x65841652,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703155280"; version:"5"; additional_info:"Administrator failed to log in: Wrong Password"; administrator:"mario.rossi@example.org"; audit_status:"Failure"; client_ip:"172.16.1.190"; machine:"cp_console.example.local"; operation:"Log In"; operation_number:"11"; product:"SmartConsole"; subject:"Administrator Login"] +<134>1 2023-12-22T08:38:43Z CP-Manager CheckPoint 10547 - [alert:"Expert_Alert"; flags:"139296"; ifdir:"inbound"; loguid:"{0x65854b15,0x0,0x6401a8c0,0x3c7878a}"; origin:"10.16.109.248"; sequencenum:"71"; time:"1703234323"; version:"5"; additional_info:"SSH connection by admin_org user to Expert Shell"; administrator:"admin_org"; client_ip:"10.16.109.244"; device_name:"CPFW-0001"; device_type:"GW"; operation:"Log In"; product:"Expert Shell"; subject:"Administrator Expert Shell login"] +<134>1 2023-12-01T08:49:00Z CP-Manager CheckPoint 21491 - [alert:"Expert_Alert"; flags:"139296"; ifdir:"inbound"; loguid:"{0x65699dfe,0x0,0x6401a8c0,0x29fed3f3}"; origin:"10.16.109.248"; sequencenum:"165"; time:"1701420540"; version:"5"; additional_info:"SSH connection by mario.rossi@example.org user to Expert Shell"; administrator:"mario.rossi@example.org"; client_ip:"172.16.1.190"; device_name:"CPFW-0001"; device_type:"GW"; operation:"Log In"; product:"Expert Shell"; subject:"Administrator Expert Shell login"] +<134>1 2023-12-29T14:20:02Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658ed593,0x1,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"2"; time:"1703859602"; version:"5"; additional_info:"logout localhost"; administrator:"WEB_API"; client_ip:"192.168.1.153"; domain_name:"SMC User"; operation:"Log Out"; product:"WEB_API"; sendtotrackerasadvancedauditlog:"0"; session_uid:"f424fd06-f25a-44f1-918d-5c837b77f1c8"; subject:"Administrator Logout"] +<134>1 2023-12-29T13:42:04Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658eccad,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703857324"; version:"5"; administrator:"User (Example)"; client_ip:"127.0.0.1"; machine:"localhost"; operation:"Log Out"; operation_number:"12"; product:"WEB_API"; subject:"Administrator Login"] +<134>1 2023-12-29T13:23:54Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658ec86c,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703856234"; version:"5"; administrator:"mario.rossi@example.org"; client_ip:"10.16.10.27"; machine:"desktop0001.example.local"; operation:"Log Out"; operation_number:"12"; product:"SmartConsole"; subject:"Administrator Login"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log-expected.json new file mode 100644 index 000000000000..f5caa26ca3ff --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log-expected.json @@ -0,0 +1,718 @@ +{ + "expected": [ + { + "@timestamp": "2023-12-29T14:20:02.000Z", + "checkpoint": { + "additional_info": "login by localhost", + "operation": "Log In", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local", + "sendtotrackerasadvancedauditlog": "0" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "id": "{0x658ed593,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-29T14:20:02Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x658ed593,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1703859602\"; version:\"5\"; additional_info:\"login by localhost\"; administrator:\"WEB_API\"; client_ip:\"192.168.1.153\"; operation:\"Log In\"; product:\"WEB_API\"; sendtotrackerasadvancedauditlog:\"0\"; subject:\"Administrator Login\"]", + "outcome": "success", + "sequence": 1, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "WEB_API", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "192.168.1.153" + ], + "user": [ + "WEB_API" + ] + }, + "source": { + "ip": "192.168.1.153", + "user": { + "name": "WEB_API" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "web_api" + } + }, + { + "@timestamp": "2023-12-29T14:03:03.000Z", + "checkpoint": { + "additional_info": "Authentication method: Active Directory", + "machine": "localhost", + "operation": "Log In", + "operation_number": "10", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "10", + "id": "{0x658ed198,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-29T14:03:03Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x658ed198,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1703858583\"; version:\"5\"; additional_info:\"Authentication method: Active Directory\"; administrator:\"User (Example)\"; client_ip:\"127.0.0.1\"; machine:\"localhost\"; operation:\"Log In\"; operation_number:\"10\"; product:\"WEB_API\"; subject:\"Administrator Login\"]", + "outcome": "success", + "sequence": 1, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "WEB_API", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "User (Example)" + ] + }, + "source": { + "ip": "127.0.0.1", + "user": { + "name": "User (Example)" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user (example)" + } + }, + { + "@timestamp": "2023-12-29T08:42:55.000Z", + "checkpoint": { + "additional_info": "Authentication method: radius", + "machine": "desktop0001.example.local", + "operation": "Log In", + "operation_number": "10", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "10", + "id": "{0x658e8690,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-29T08:42:55Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x658e8690,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1703839375\"; version:\"5\"; additional_info:\"Authentication method: radius\"; administrator:\"mario.rossi@example.org\"; client_ip:\"10.16.10.27\"; machine:\"desktop0001.example.local\"; operation:\"Log In\"; operation_number:\"10\"; product:\"SmartConsole\"; subject:\"Administrator Login\"]", + "outcome": "success", + "sequence": 1, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "SmartConsole", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "10.16.10.27" + ], + "user": [ + "mario.rossi@example.org" + ] + }, + "source": { + "domain": "desktop0001.example.local", + "ip": "10.16.10.27", + "user": { + "name": "mario.rossi@example.org" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "mario.rossi@example.org" + } + }, + { + "@timestamp": "2023-12-15T11:52:02.000Z", + "checkpoint": { + "additional_info": "Authentication method: radius", + "machine": "relay599.rdnssender.com", + "operation": "Log In", + "operation_number": "10", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "10", + "id": "{0x657c3de4,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-15T11:52:02Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x657c3de4,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1702641122\"; version:\"5\"; additional_info:\"Authentication method: radius\"; administrator:\"i.biachi@customer.com\"; client_ip:\"172.28.11.213\"; machine:\"relay599.rdnssender.com\"; operation:\"Log In\"; operation_number:\"10\"; product:\"SmartConsole\"; subject:\"Administrator Login\"]", + "outcome": "success", + "sequence": 1, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "SmartConsole", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "172.28.11.213" + ], + "user": [ + "i.biachi@customer.com" + ] + }, + "source": { + "domain": "relay599.rdnssender.com", + "ip": "172.28.11.213", + "user": { + "name": "i.biachi@customer.com" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "i.biachi@customer.com" + } + }, + { + "@timestamp": "2023-12-27T09:39:55.000Z", + "checkpoint": { + "additional_info": "Administrator failed to log in: Wrong Password", + "audit_status": "Failure", + "machine": "relay599.rdnssender.com", + "operation": "Log In", + "operation_number": "11", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logon-failed", + "category": [ + "authentication" + ], + "code": "11", + "id": "{0x658bf0ed,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-27T09:39:55Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x658bf0ed,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1703669995\"; version:\"5\"; additional_info:\"Administrator failed to log in: Wrong Password\"; administrator:\"i.biachi@customer.com\"; audit_status:\"Failure\"; client_ip:\"172.28.11.213\"; machine:\"relay599.rdnssender.com\"; operation:\"Log In\"; operation_number:\"11\"; product:\"SmartConsole\"; subject:\"Administrator Login\"]", + "outcome": "failure", + "reason": "Wrong Password", + "sequence": 1, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "SmartConsole", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "172.28.11.213" + ], + "user": [ + "i.biachi@customer.com" + ] + }, + "source": { + "domain": "relay599.rdnssender.com", + "ip": "172.28.11.213", + "user": { + "name": "i.biachi@customer.com" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "i.biachi@customer.com" + } + }, + { + "@timestamp": "2023-12-28T08:03:28.000Z", + "checkpoint": { + "additional_info": "Administrator failed to log in: SIC Error for gettopo: Server could not find authentication method for service gettopo. Peer is:", + "audit_status": "Failure", + "operation": "Log In", + "operation_number": "11", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logon-failed", + "category": [ + "authentication" + ], + "code": "11", + "id": "{0x658d2bd2,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-28T08:03:28Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x658d2bd2,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1703750608\"; version:\"5\"; additional_info:\"Administrator failed to log in: SIC Error for gettopo: Server could not find authentication method for service gettopo. Peer is: \"; audit_status:\"Failure\"; client_ip:\"172.28.11.213\"; operation:\"Log In\"; operation_number:\"11\"; product:\"Unknown\"; subject:\"Administrator Login\"]", + "outcome": "failure", + "reason": "SIC Error for gettopo: Server could not find authentication method for service gettopo. Peer is:", + "sequence": 1, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "Unknown", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "172.28.11.213" + ] + }, + "source": { + "ip": "172.28.11.213" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-21T10:41:20.000Z", + "checkpoint": { + "additional_info": "Administrator failed to log in: Wrong Password", + "audit_status": "Failure", + "machine": "cp_console.example.local", + "operation": "Log In", + "operation_number": "11", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logon-failed", + "category": [ + "authentication" + ], + "code": "11", + "id": "{0x65841652,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-21T10:41:20Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x65841652,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1703155280\"; version:\"5\"; additional_info:\"Administrator failed to log in: Wrong Password\"; administrator:\"mario.rossi@example.org\"; audit_status:\"Failure\"; client_ip:\"172.16.1.190\"; machine:\"cp_console.example.local\"; operation:\"Log In\"; operation_number:\"11\"; product:\"SmartConsole\"; subject:\"Administrator Login\"]", + "outcome": "failure", + "reason": "Wrong Password", + "sequence": 1, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "SmartConsole", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "172.16.1.190" + ], + "user": [ + "mario.rossi@example.org" + ] + }, + "source": { + "domain": "cp_console.example.local", + "ip": "172.16.1.190", + "user": { + "name": "mario.rossi@example.org" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "mario.rossi@example.org" + } + }, + { + "@timestamp": "2023-12-22T08:38:43.000Z", + "checkpoint": { + "additional_info": "SSH connection by admin_org user to Expert Shell", + "alert": "Expert_Alert", + "device_name": "CPFW-0001", + "device_type": "GW", + "operation": "Log In" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "id": "{0x65854b15,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-22T08:38:43Z CP-Manager CheckPoint 10547 - [alert:\"Expert_Alert\"; flags:\"139296\"; ifdir:\"inbound\"; loguid:\"{0x65854b15,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"10.16.109.248\"; sequencenum:\"71\"; time:\"1703234323\"; version:\"5\"; additional_info:\"SSH connection by admin_org user to Expert Shell\"; administrator:\"admin_org\"; client_ip:\"10.16.109.244\"; device_name:\"CPFW-0001\"; device_type:\"GW\"; operation:\"Log In\"; product:\"Expert Shell\"; subject:\"Administrator Expert Shell login\"]", + "outcome": "success", + "sequence": 71, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "host": { + "name": "CPFW-0001", + "type": "GW" + }, + "message": "Administrator Expert Shell login", + "network": { + "direction": "inbound", + "protocol": "ssh" + }, + "observer": { + "name": "10.16.109.248", + "product": "Expert Shell", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "10.16.109.244" + ], + "user": [ + "admin_org" + ] + }, + "source": { + "ip": "10.16.109.244", + "user": { + "name": "admin_org" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin_org" + } + }, + { + "@timestamp": "2023-12-01T08:49:00.000Z", + "checkpoint": { + "additional_info": "SSH connection by mario.rossi@example.org user to Expert Shell", + "alert": "Expert_Alert", + "device_name": "CPFW-0001", + "device_type": "GW", + "operation": "Log In" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "id": "{0x65699dfe,0x0,0x6401a8c0,0x29fed3f3}", + "kind": "event", + "original": "<134>1 2023-12-01T08:49:00Z CP-Manager CheckPoint 21491 - [alert:\"Expert_Alert\"; flags:\"139296\"; ifdir:\"inbound\"; loguid:\"{0x65699dfe,0x0,0x6401a8c0,0x29fed3f3}\"; origin:\"10.16.109.248\"; sequencenum:\"165\"; time:\"1701420540\"; version:\"5\"; additional_info:\"SSH connection by mario.rossi@example.org user to Expert Shell\"; administrator:\"mario.rossi@example.org\"; client_ip:\"172.16.1.190\"; device_name:\"CPFW-0001\"; device_type:\"GW\"; operation:\"Log In\"; product:\"Expert Shell\"; subject:\"Administrator Expert Shell login\"]", + "outcome": "success", + "sequence": 165, + "timezone": "UTC", + "type": [ + "start" + ] + }, + "host": { + "name": "CPFW-0001", + "type": "GW" + }, + "message": "Administrator Expert Shell login", + "network": { + "direction": "inbound", + "protocol": "ssh" + }, + "observer": { + "name": "10.16.109.248", + "product": "Expert Shell", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "172.16.1.190" + ], + "user": [ + "mario.rossi@example.org" + ] + }, + "source": { + "ip": "172.16.1.190", + "user": { + "name": "mario.rossi@example.org" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "mario.rossi@example.org" + } + }, + { + "@timestamp": "2023-12-29T14:20:02.000Z", + "checkpoint": { + "additional_info": "logout localhost", + "operation": "Log Out", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local", + "sendtotrackerasadvancedauditlog": "0", + "session_uid": "f424fd06-f25a-44f1-918d-5c837b77f1c8" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-out", + "category": [ + "authentication" + ], + "id": "{0x658ed593,0x1,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-29T14:20:02Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x658ed593,0x1,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"2\"; time:\"1703859602\"; version:\"5\"; additional_info:\"logout localhost\"; administrator:\"WEB_API\"; client_ip:\"192.168.1.153\"; domain_name:\"SMC User\"; operation:\"Log Out\"; product:\"WEB_API\"; sendtotrackerasadvancedauditlog:\"0\"; session_uid:\"f424fd06-f25a-44f1-918d-5c837b77f1c8\"; subject:\"Administrator Logout\"]", + "outcome": "success", + "sequence": 2, + "timezone": "UTC", + "type": [ + "end" + ] + }, + "message": "Administrator Logout", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "WEB_API", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "192.168.1.153" + ], + "user": [ + "WEB_API" + ] + }, + "source": { + "ip": "192.168.1.153", + "user": { + "domain": "SMC User", + "name": "WEB_API" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "smc user", + "name": "web_api" + } + }, + { + "@timestamp": "2023-12-29T13:42:04.000Z", + "checkpoint": { + "machine": "localhost", + "operation": "Log Out", + "operation_number": "12", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-out", + "category": [ + "authentication" + ], + "code": "12", + "id": "{0x658eccad,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-29T13:42:04Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x658eccad,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1703857324\"; version:\"5\"; administrator:\"User (Example)\"; client_ip:\"127.0.0.1\"; machine:\"localhost\"; operation:\"Log Out\"; operation_number:\"12\"; product:\"WEB_API\"; subject:\"Administrator Login\"]", + "outcome": "success", + "sequence": 1, + "timezone": "UTC", + "type": [ + "end" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "WEB_API", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "User (Example)" + ] + }, + "source": { + "ip": "127.0.0.1", + "user": { + "name": "User (Example)" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user (example)" + } + }, + { + "@timestamp": "2023-12-29T13:23:54.000Z", + "checkpoint": { + "machine": "desktop0001.example.local", + "operation": "Log Out", + "operation_number": "12", + "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logged-out", + "category": [ + "authentication" + ], + "code": "12", + "id": "{0x658ec86c,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "<134>1 2023-12-29T13:23:54Z CP-Manager CheckPoint 10547 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x658ec86c,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.153\"; originsicname:\"cn=cp_mgmt,o=CP-Manager.example.local\"; sequencenum:\"1\"; time:\"1703856234\"; version:\"5\"; administrator:\"mario.rossi@example.org\"; client_ip:\"10.16.10.27\"; machine:\"desktop0001.example.local\"; operation:\"Log Out\"; operation_number:\"12\"; product:\"SmartConsole\"; subject:\"Administrator Login\"]", + "outcome": "success", + "sequence": 1, + "timezone": "UTC", + "type": [ + "end" + ] + }, + "message": "Administrator Login", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.153", + "product": "SmartConsole", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "10.16.10.27" + ], + "user": [ + "mario.rossi@example.org" + ] + }, + "source": { + "domain": "desktop0001.example.local", + "ip": "10.16.10.27", + "user": { + "name": "mario.rossi@example.org" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "mario.rossi@example.org" + } + } + ] +} \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json index 72a5f96efe7f..f7e8b658fa8c 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json @@ -232,7 +232,10 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "name": "srcuser" + } }, { "@timestamp": "2021-05-05T12:27:09.000Z", @@ -318,7 +321,10 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "name": "srcuser" + } } ] } \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json index 0bbed0c30dac..523484592b04 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json @@ -66,7 +66,6 @@ "event": { "action": "logged-in", "category": [ - "network", "authentication" ], "id": "{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}", @@ -76,7 +75,7 @@ "sequence": 1, "timezone": "UTC", "type": [ - "allowed" + "start" ] }, "network": { @@ -122,7 +121,13 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "group": { + "name": "remote_access_users; remote_admins; all users; ad_users" + }, + "name": "usrtest (usrtest)" + } } ] } \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json index 211f7ece989c..de8eff86d63d 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json @@ -226,7 +226,10 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "name": "bob" + } }, { "@timestamp": "2023-03-01T05:02:37.000Z", @@ -249,18 +252,13 @@ "destination": { "ip": "192.168.178.40" }, - "dns": { - "question": { - "name": "SMC User" - } - }, "ecs": { "version": "8.11.0" }, "event": { - "action": "Accept", + "action": "logged-out", "category": [ - "network" + "authentication" ], "id": [ "{0x341d6d49,0xc1db9b1,0x8781cca,0x60557f55}", @@ -275,8 +273,7 @@ ], "timezone": "UTC", "type": [ - "allowed", - "connection" + "end" ] }, "message": "Administrator Logout", @@ -314,12 +311,17 @@ "source": { "ip": "192.168.178.40", "user": { + "domain": "SMC User", "name": "WEB_API" } }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "domain": "smc user", + "name": "web_api" + } }, { "@timestamp": "2023-03-01T07:58:40.000Z", @@ -401,15 +403,19 @@ "version": "8.11.0" }, "event": { - "action": "Accept", + "action": "logged-in", "category": [ "authentication" ], "id": "{0x63ff0952,0x41,0x28b2a8c0,0x20a1413c}", "kind": "event", "original": "<134>1 2023-03-01T02:15:54Z gw-0b8ccd CheckPoint 16700 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x63ff0952,0x41,0x28b2a8c0,0x20a1413c}\"; origin:\"192.168.178.40\"; sequencenum:\"1\"; time:\"1677636954\"; version:\"5\"; additional_info:\"login by localhost\"; administrator:\"WEB_API\"; client_ip:\"192.168.178.40\"; operation:\"Log In\"; product:\"WEB_API\"; sendtotrackerasadvancedauditlog:\"0\"; subject:\"Administrator Login\"]", + "outcome": "success", "sequence": 1, - "timezone": "UTC" + "timezone": "UTC", + "type": [ + "start" + ] }, "message": "Administrator Login", "network": { @@ -437,7 +443,10 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "name": "web_api" + } }, { "@timestamp": "2023-03-01T02:16:17.000Z", @@ -447,24 +456,23 @@ "sendtotrackerasadvancedauditlog": "0", "session_uid": "02e77b40-e0d5-400c-bea0-5a7bd8fc9648" }, - "dns": { - "question": { - "name": "SMC User" - } - }, "ecs": { "version": "8.11.0" }, "event": { - "action": "Accept", + "action": "logged-out", "category": [ - "network" + "authentication" ], "id": "{0x63ff0952,0x42,0x28b2a8c0,0x20a1413c}", "kind": "event", "original": "<134>1 2023-03-01T02:16:17Z gw-0b8ccd CheckPoint 16700 - [action:\"Accept\"; flags:\"163872\"; ifdir:\"outbound\"; loguid:\"{0x63ff0952,0x42,0x28b2a8c0,0x20a1413c}\"; origin:\"192.168.178.40\"; sequencenum:\"1\"; time:\"1677636977\"; version:\"5\"; additional_info:\"logout localhost\"; administrator:\"WEB_API\"; client_ip:\"192.168.178.40\"; domain_name:\"SMC User\"; operation:\"Log Out\"; product:\"WEB_API\"; sendtotrackerasadvancedauditlog:\"0\"; session_uid:\"02e77b40-e0d5-400c-bea0-5a7bd8fc9648\"; subject:\"Administrator Logout\"]", + "outcome": "success", "sequence": 1, - "timezone": "UTC" + "timezone": "UTC", + "type": [ + "end" + ] }, "message": "Administrator Logout", "network": { @@ -487,12 +495,17 @@ "source": { "ip": "192.168.178.40", "user": { + "domain": "SMC User", "name": "WEB_API" } }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "domain": "smc user", + "name": "web_api" + } }, { "@timestamp": "2023-03-01T02:16:55.000Z", @@ -539,7 +552,10 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "name": "admin" + } }, { "@timestamp": "2023-03-01T02:52:15.000Z", @@ -596,7 +612,11 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "id": "4b14971c-2917-4ccc-8a1b-1d7ed30ec2b3", + "name": "admin" + } }, { "@timestamp": "2023-03-01T05:15:58.000Z", @@ -650,7 +670,10 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "name": "web_api" + } }, { "@timestamp": "2023-03-01T05:29:55.000Z", @@ -745,7 +768,10 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "name": "admin" + } }, { "@timestamp": "2023-03-01T08:26:09.000Z", @@ -833,7 +859,11 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "id": "f983d826-10e3-4226-b61e-f502ff9c5484", + "name": "admin" + } }, { "@timestamp": "2023-03-01T08:39:03.000Z", @@ -926,7 +956,10 @@ }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "name": "system" + } }, { "@timestamp": "2023-03-02T03:28:09.000Z", diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 3bd4e69d042b..450c54b145bf 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -178,7 +178,8 @@ processors: - append: field: event.category value: network - if: ctx.checkpoint?.operation != 'Log In' + if: ctx.checkpoint?.operation != 'Log In' && ctx.checkpoint?.operation != 'Log Out' && ctx.checkpoint?.action != 'Log In' && ctx.checkpoint?.action != 'Log Out' + allow_duplicates: false - set: field: observer.vendor value: Checkpoint @@ -314,7 +315,8 @@ processors: - append: field: event.category value: authentication - if: ctx.checkpoint?.operation == 'Log In' + if: ctx.checkpoint?.operation == 'Log In' || ctx.checkpoint?.operation == 'Log Out' + allow_duplicates: false - rename: field: checkpoint.originsicname target_field: checkpoint.origin_sic_name @@ -336,7 +338,7 @@ processors: value: - allowed - connection - if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)" + if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action) && (ctx.checkpoint?.operation != 'Log In' && ctx.checkpoint?.operation != 'Log Out')" - set: field: event.outcome value: success @@ -359,10 +361,12 @@ processors: field: event.category value: malware if: ctx.checkpoint?.malware_action != null + allow_duplicates: false - append: field: event.category value: intrusion_detection if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)" + allow_duplicates: false - set: field: event.outcome value: success @@ -371,14 +375,35 @@ processors: field: event.outcome value: failure if: ctx.checkpoint?.action == 'Failed Log In' + - set: + field: event.outcome + value: success + if: ctx.checkpoint?.operation == 'Log Out' + override: true + description: "Set 'success' outcome for logoff activity." + - set: + field: event.outcome + value: success + if: ctx.checkpoint?.operation == 'Log In' && (ctx.checkpoint?.audit_status == 'Success' || ctx.checkpoint?.audit_status == null) + override: true + description: "Set 'success' outcome by default for logon events without audit outcome set." - append: field: event.category value: authentication if: "['Log In', 'Failed Log In'].contains(ctx.checkpoint?.action)" + allow_duplicates: false - append: field: event.type - value: allowed - if: ctx.checkpoint?.action == 'Log In' + value: + - start + allow_duplicates: false + if: ctx.checkpoint?.action == 'Log In' || ctx.checkpoint?.operation == 'Log In' + - append: + field: event.type + value: end + allow_duplicates: false + if: ctx.checkpoint?.action == 'Log Out' || ctx.checkpoint?.operation == 'Log Out' + description: "Add 'end' categorization type for events related to log out activities." - set: field: checkpoint.action value: logged-in @@ -386,6 +411,7 @@ processors: - append: field: event.type value: denied + allow_duplicates: false if: ctx.checkpoint?.action == 'Failed Log In' - set: field: checkpoint.action @@ -494,6 +520,17 @@ processors: field: checkpoint.domain_name target_field: dns.question.name ignore_missing: true + - rename: + field: dns.question.name + target_field: source.user.domain + ignore_missing: true + if: ctx.checkpoint?.operation == 'Log Out' && ctx.source?.user?.domain == null + - dissect: + field: checkpoint.additional_info + pattern: 'Administrator failed to log in: %{event.reason}' + ignore_missing: true + ignore_failure: true + if: (ctx.checkpoint?.operation == 'Log In' && ctx.checkpoint?.audit_status == 'Failure') && (ctx.event?.reason == null || ctx.event?.reason == "") - rename: field: checkpoint.dns_message_type target_field: dns.type @@ -522,6 +559,102 @@ processors: field: checkpoint.action target_field: event.action ignore_missing: true + - set: + field: event.action + value: logon-failed + override: true + if: ctx.checkpoint?.operation == 'Log In' && ctx.checkpoint?.audit_status == 'Failure' + description: "Set 'logon-failed' action categorization for failed logon attempts." + - set: + field: event.action + value: logged-in + override: true + if: ctx.checkpoint?.operation == 'Log In' && (ctx.checkpoint?.audit_status == 'Success' || ctx.checkpoint?.audit_status == null) + description: "Set 'logged-in' action categorization for events related to successful logons." + - set: + field: event.action + value: logged-out + override: true + if: ctx.checkpoint?.operation == 'Log Out' + description: "Set 'logged-out' action categorization for logoff events." + - set: + field: host.name + value: '{{{ checkpoint.device_name }}}' + override: false + ignore_empty_value: true + if: ctx.checkpoint?.operation == 'Log In' && ctx.observer?.product == 'Expert Shell' + description: "Copy the device name to the host.name field for logon events in Checkpoint expert shells." + - set: + field: host.type + value: '{{{ checkpoint.device_type }}}' + override: false + ignore_empty_value: true + if: ctx.checkpoint?.operation == 'Log In' && ctx.observer?.product == 'Expert Shell' + description: "Copy the device type to the host.type field for logon events in Checkpoint expert shells." + - set: + field: source.domain + value: '{{{ checkpoint.machine }}}' + override: false + ignore_empty_value: true + if: "['Log In', 'Log Out'].contains(ctx.checkpoint?.operation) && ctx.checkpoint?.machine != 'localhost'" + description: "Copy the device type to the host.type field for logon events in Checkpoint expert shells." + - set: + field: network.protocol + value: ssh + override: false + if: ctx.checkpoint?.operation == 'Log In' && ctx.observer?.product == 'Expert Shell' + description: "Set network protocol to SSH for logon activities made with Checkpoint expert shells." + - set: + field: user.name + value: '{{{ source.user.name }}}' + override: false + ignore_empty_value: true + - set: + field: user.id + value: '{{{ source.user.id }}}' + override: false + ignore_empty_value: true + - set: + field: user.group.name + value: '{{{ source.user.group.name }}}' + override: false + ignore_empty_value: true + - set: + field: user.email + value: '{{{ source.user.email }}}' + override: false + ignore_empty_value: true + - set: + field: user.domain + value: '{{{ source.user.domain }}}' + override: false + ignore_empty_value: true + - append: + field: user.roles + value: administrator + allow_duplicates: false + if: ctx.message == 'Administrator Login' || ctx.message == 'Administrator Logout' || ctx.message == 'Administrator Expert Shell login' + description: "Add administrator label to the user.role field for all events related to administrator logon / logoff activities." + - set: + field: event.code + value: '{{{ checkpoint.operation_number }}}' + override: false + ignore_empty_value: true + - lowercase: + field: user.name + ignore_missing: true + - lowercase: + field: user.id + ignore_missing: true + - lowercase: + field: user.email + ignore_missing: true + - lowercase: + field: user.domain + ignore_missing: true + - lowercase: + field: user.group.name + ignore_missing: true - rename: field: checkpoint.packet_capture target_field: event.url diff --git a/packages/checkpoint/data_stream/firewall/fields/ecs.yml b/packages/checkpoint/data_stream/firewall/fields/ecs.yml index 6739ec67921d..580552bdd3e0 100644 --- a/packages/checkpoint/data_stream/firewall/fields/ecs.yml +++ b/packages/checkpoint/data_stream/firewall/fields/ecs.yml @@ -250,3 +250,17 @@ name: vulnerability.id - external: ecs name: log.file.path +- external: ecs + name: user.name +- external: ecs + name: user.id +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: user.group.name +- external: ecs + name: source.user.domain +- external: ecs + name: network.protocol diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index 87ea5b393883..474de6a786a3 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -287,6 +287,14 @@ type: keyword description: | Name of the developer's certificate that was used to sign the mobile application. + - name: device_name + type: keyword + description: | + Name of the device. + - name: device_type + type: keyword + description: | + Type of the device. - name: diameter_app_ID type: integer description: | diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 431b4cfe601d..dfa102c5e546 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -200,6 +200,8 @@ An example event for `firewall` looks as following: | checkpoint.destination_object | Matched object name on destination column. | keyword | | checkpoint.detected_on | System and applications version the file was emulated on. | keyword | | checkpoint.developer_certificate_name | Name of the developer's certificate that was used to sign the mobile application. | keyword | +| checkpoint.device_name | Name of the device. | keyword | +| checkpoint.device_type | Type of the device. | keyword | | checkpoint.diameter_app_ID | The ID of diameter application. | integer | | checkpoint.diameter_cmd_code | Diameter not allowed application command id. | integer | | checkpoint.diameter_msg_type | Diameter message type. | keyword | @@ -697,6 +699,7 @@ An example event for `firewall` looks as following: | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | @@ -743,6 +746,7 @@ An example event for `firewall` looks as following: | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | source.user.email | User email address. | keyword | | source.user.group.name | Name of the group. | keyword | | source.user.id | Unique identifier of the user. | keyword | @@ -752,6 +756,12 @@ An example event for `firewall` looks as following: | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | url.original.text | Multi-field of `url.original`. | match_only_text | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.group.name | Name of the group. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | | user_agent.name | Name of the user agent. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | | user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 017f8af2ab86..3c366b355884 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: "1.29.1" +version: 1.30.0 description: Collect logs from Check Point with Elastic Agent. type: integration format_version: "3.0.0"