Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Add CustomString mapping to CEF for Forcepoint NGFW #15910

Merged
merged 4 commits into from
Feb 5, 2020

Conversation

leehinman
Copy link
Contributor

  • map CustomString1 to rule.id when CustomString1Label == RuleID

Closes #14663

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM labels Jan 28, 2020
@leehinman leehinman requested a review from a team as a code owner January 28, 2020 16:53
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a nice simple enhancement to the module to add support for Forcepoint logs. Are there any more custom fields to add?

We'll want to document that the CEF module works for Forcepoint NGFW. I propose adding a section to the existing cef module documentation that shows it works for forcepoint NGFW and was tested against logs from version X and specifying that it needs to be configured to send CEF logs to the module's input address, etc.

@@ -24,3 +24,14 @@ processors:
- decode_cef:
field: event.original
- community_id:
- script:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is a translation table specific to forcepoint? If so then I think it would be good to add a when condition so that the script only executes for forcepoint logs. An example would be when.equals.cef.device.vendor: FORCEPOINT.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea. I was waffling on this, the ruleid match seemed pretty generic, but the when is safer.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a related note, I think having support in the processor for directly creating key-value pairs from the custom label and value fields would be a nice future enhancement. Like automatically create cef.custom.string.mylabel: "myvalue" and if the label is an ECS field like rule.id (and the value is the proper data type) then just go ahead and populate the field.

@@ -92,6 +92,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Set event.outcome field based on googlecloud audit log output. {pull}15731[15731]
- Add dashboard for AWS ELB fileset. {pull}15804[15804]

- Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shift this line up by one.

@leehinman
Copy link
Contributor Author

Seems like a nice simple enhancement to the module to add support for Forcepoint logs. Are there any more custom fields to add?

Not in the examples I have. I have a request out to see if there are any more.

We'll want to document that the CEF module works for Forcepoint NGFW. I propose adding a section to the existing cef module documentation that shows it works for forcepoint NGFW and was tested against logs from version X and specifying that it needs to be configured to send CEF logs to the module's input address, etc.

will do

- add docs on configuring SMC
- only attempt mappings if vendor is FORCEPOINT
- script:
lang: javascript
source: >-
function forcepoint_mappings(evt) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I liked what you had before, but just wanted a when condition added. The primary benefit to when is that it avoids invoking the javascript VM at all which I assume is a performance improvement over doing the check in JS for non-forcepoint logs.

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@leehinman leehinman merged commit 82b8fe6 into elastic:master Feb 5, 2020
leehinman added a commit to leehinman/beats that referenced this pull request Feb 5, 2020
…ic#15910)

* Add CustomString mapping to CEF for Forcepoint NGFW

Closes elastic#14663

(cherry picked from commit 82b8fe6)
@leehinman leehinman added v7.7.0 and removed needs_backport PR is waiting to be backported to other branches. labels Feb 5, 2020
@leehinman leehinman deleted the 14663_fp_ngfw_smc_cef branch February 5, 2020 15:33
leehinman added a commit that referenced this pull request Mar 12, 2020
… (#16106)

* Add CustomString mapping to CEF for Forcepoint NGFW

Closes #14663

(cherry picked from commit 82b8fe6)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Filebeat] Add module for Forcepoint firewall logs
3 participants