Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[checkpoint] Improve authentication logs normalization #8884

Merged
merged 2 commits into from Jan 17, 2024
Merged

[checkpoint] Improve authentication logs normalization #8884

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e245358
Improve authentication normalization
bhapas Jan 11, 2024
5896493
Fix PR comments
bhapas Jan 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/checkpoint/changelog.yml
View file
Open in desktop
@@ -1,4 +1,9 @@
# newer versions go on top
- version: 1.30.0
changes:
- description: Improve authentication logs normalization.
type: enhancement
link: https://github.com/elastic/integrations/pull/8884
- version: "1.29.1"
changes:
- description: Fix exclude_files pattern.
Expand Down
12 changes: 12 additions & 0 deletions ...ges/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log
View file
Open in desktop
@@ -0,0 +1,12 @@
<134>1 2023-12-29T14:20:02Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658ed593,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703859602"; version:"5"; additional_info:"login by localhost"; administrator:"WEB_API"; client_ip:"192.168.1.153"; operation:"Log In"; product:"WEB_API"; sendtotrackerasadvancedauditlog:"0"; subject:"Administrator Login"]
<134>1 2023-12-29T14:03:03Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658ed198,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703858583"; version:"5"; additional_info:"Authentication method: Active Directory"; administrator:"User (Example)"; client_ip:"127.0.0.1"; machine:"localhost"; operation:"Log In"; operation_number:"10"; product:"WEB_API"; subject:"Administrator Login"]
<134>1 2023-12-29T08:42:55Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658e8690,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703839375"; version:"5"; additional_info:"Authentication method: radius"; administrator:"mario.rossi@example.org"; client_ip:"10.16.10.27"; machine:"desktop0001.example.local"; operation:"Log In"; operation_number:"10"; product:"SmartConsole"; subject:"Administrator Login"]
<134>1 2023-12-15T11:52:02Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x657c3de4,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1702641122"; version:"5"; additional_info:"Authentication method: radius"; administrator:"i.biachi@customer.com"; client_ip:"172.28.11.213"; machine:"relay599.rdnssender.com"; operation:"Log In"; operation_number:"10"; product:"SmartConsole"; subject:"Administrator Login"]
<134>1 2023-12-27T09:39:55Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658bf0ed,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703669995"; version:"5"; additional_info:"Administrator failed to log in: Wrong Password"; administrator:"i.biachi@customer.com"; audit_status:"Failure"; client_ip:"172.28.11.213"; machine:"relay599.rdnssender.com"; operation:"Log In"; operation_number:"11"; product:"SmartConsole"; subject:"Administrator Login"]
<134>1 2023-12-28T08:03:28Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658d2bd2,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703750608"; version:"5"; additional_info:"Administrator failed to log in: SIC Error for gettopo: Server could not find authentication method for service gettopo. Peer is: "; audit_status:"Failure"; client_ip:"172.28.11.213"; operation:"Log In"; operation_number:"11"; product:"Unknown"; subject:"Administrator Login"]
<134>1 2023-12-21T10:41:20Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x65841652,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703155280"; version:"5"; additional_info:"Administrator failed to log in: Wrong Password"; administrator:"mario.rossi@example.org"; audit_status:"Failure"; client_ip:"172.16.1.190"; machine:"cp_console.example.local"; operation:"Log In"; operation_number:"11"; product:"SmartConsole"; subject:"Administrator Login"]
<134>1 2023-12-22T08:38:43Z CP-Manager CheckPoint 10547 - [alert:"Expert_Alert"; flags:"139296"; ifdir:"inbound"; loguid:"{0x65854b15,0x0,0x6401a8c0,0x3c7878a}"; origin:"10.16.109.248"; sequencenum:"71"; time:"1703234323"; version:"5"; additional_info:"SSH connection by admin_org user to Expert Shell"; administrator:"admin_org"; client_ip:"10.16.109.244"; device_name:"CPFW-0001"; device_type:"GW"; operation:"Log In"; product:"Expert Shell"; subject:"Administrator Expert Shell login"]
<134>1 2023-12-01T08:49:00Z CP-Manager CheckPoint 21491 - [alert:"Expert_Alert"; flags:"139296"; ifdir:"inbound"; loguid:"{0x65699dfe,0x0,0x6401a8c0,0x29fed3f3}"; origin:"10.16.109.248"; sequencenum:"165"; time:"1701420540"; version:"5"; additional_info:"SSH connection by mario.rossi@example.org user to Expert Shell"; administrator:"mario.rossi@example.org"; client_ip:"172.16.1.190"; device_name:"CPFW-0001"; device_type:"GW"; operation:"Log In"; product:"Expert Shell"; subject:"Administrator Expert Shell login"]
<134>1 2023-12-29T14:20:02Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658ed593,0x1,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"2"; time:"1703859602"; version:"5"; additional_info:"logout localhost"; administrator:"WEB_API"; client_ip:"192.168.1.153"; domain_name:"SMC User"; operation:"Log Out"; product:"WEB_API"; sendtotrackerasadvancedauditlog:"0"; session_uid:"f424fd06-f25a-44f1-918d-5c837b77f1c8"; subject:"Administrator Logout"]
<134>1 2023-12-29T13:42:04Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658eccad,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703857324"; version:"5"; administrator:"User (Example)"; client_ip:"127.0.0.1"; machine:"localhost"; operation:"Log Out"; operation_number:"12"; product:"WEB_API"; subject:"Administrator Login"]
<134>1 2023-12-29T13:23:54Z CP-Manager CheckPoint 10547 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x658ec86c,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.153"; originsicname:"cn=cp_mgmt,o=CP-Manager.example.local"; sequencenum:"1"; time:"1703856234"; version:"5"; administrator:"mario.rossi@example.org"; client_ip:"10.16.10.27"; machine:"desktop0001.example.local"; operation:"Log Out"; operation_number:"12"; product:"SmartConsole"; subject:"Administrator Login"]