-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Add CustomString mapping to CEF for Forcepoint NGFW #15910
Conversation
Pinging @elastic/siem (Team:SIEM) |
66c52fa
to
02058e0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like a nice simple enhancement to the module to add support for Forcepoint logs. Are there any more custom fields to add?
We'll want to document that the CEF module works for Forcepoint NGFW. I propose adding a section to the existing cef module documentation that shows it works for forcepoint NGFW and was tested against logs from version X and specifying that it needs to be configured to send CEF logs to the module's input address, etc.
@@ -24,3 +24,14 @@ processors: | |||
- decode_cef: | |||
field: event.original | |||
- community_id: | |||
- script: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this is a translation table specific to forcepoint? If so then I think it would be good to add a when
condition so that the script only executes for forcepoint logs. An example would be when.equals.cef.device.vendor: FORCEPOINT
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea. I was waffling on this, the ruleid match seemed pretty generic, but the when is safer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On a related note, I think having support in the processor for directly creating key-value pairs from the custom label and value fields would be a nice future enhancement. Like automatically create cef.custom.string.mylabel: "myvalue"
and if the label is an ECS field like rule.id
(and the value is the proper data type) then just go ahead and populate the field.
@@ -92,6 +92,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d | |||
- Set event.outcome field based on googlecloud audit log output. {pull}15731[15731] | |||
- Add dashboard for AWS ELB fileset. {pull}15804[15804] | |||
|
|||
- Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shift this line up by one.
Not in the examples I have. I have a request out to see if there are any more.
will do |
- add docs on configuring SMC - only attempt mappings if vendor is FORCEPOINT
- script: | ||
lang: javascript | ||
source: >- | ||
function forcepoint_mappings(evt) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I liked what you had before, but just wanted a when
condition added. The primary benefit to when
is that it avoids invoking the javascript VM at all which I assume is a performance improvement over doing the check in JS for non-forcepoint logs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…ic#15910) * Add CustomString mapping to CEF for Forcepoint NGFW Closes elastic#14663 (cherry picked from commit 82b8fe6)
Closes #14663