From 02058e09a4d8bfa7458aa299f5d4e280a8898e08 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Mon, 27 Jan 2020 15:30:35 -0600 Subject: [PATCH 1/3] Add CustomString mapping to CEF for Forcepoint NGFW Closes #14663 --- CHANGELOG.next.asciidoc | 1 + .../filebeat/module/cef/log/config/input.yml | 11 + .../module/cef/log/test/fp-ngfw-smc.log | 13 + .../log/test/fp-ngfw-smc.log-expected.json | 398 ++++++++++++++++++ 4 files changed, 423 insertions(+) create mode 100644 x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log create mode 100644 x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 28366c77271..9b53bbaedfc 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -92,6 +92,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Set event.outcome field based on googlecloud audit log output. {pull}15731[15731] - Add dashboard for AWS ELB fileset. {pull}15804[15804] +- Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910] *Heartbeat* diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index 91439736fab..86d00fb6484 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -24,3 +24,14 @@ processors: - decode_cef: field: event.original - community_id: + - script: + lang: javascript + source: >- + function process(evt) { + switch (evt.Get("cef.extensions.deviceCustomString1Label")) { + case "RuleID": + evt.Put("rule.id", evt.Get("cef.extensions.deviceCustomString1")); + default: + return; + } + } diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log new file mode 100644 index 00000000000..a7ce1c7bbc6 --- /dev/null +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log @@ -0,0 +1,13 @@ +CEF:0|FORCEPOINT|Firewall|6.6.1|0|Generic|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=log server connection established deviceFacility=Logging System rt=Jan 17 2020 08:52:10 +CEF:0|FORCEPOINT|Firewall|6.6.1|9005|FW_Communication-Communication-Error|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=Communication error: No route to host (-3, 5, 0) deviceFacility=Management rt=Jan 17 2020 08:52:09 +CEF:0|FORCEPOINT|Firewall|6.6.1|70018|Connection_Allowed|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 src=10.37.205.252 dst=10.1.1.40 proto=1 deviceOutboundInterface=255 act=Allow msg=Referred connection: 10.1.1.40 -> 10.37.133.35 frag\=0x4000 TCP 47413->3020 deviceFacility=Packet Filtering rt=Jan 17 2020 08:52:09 app=Dest. Unreachable (Host Unreachable) cs1Label=RuleID cs1=2097157.1 +CEF:0|FORCEPOINT|Firewall|unknown|70019|Connection_Discarded|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=172.16.1.1 dst=255.255.255.255 spt=68 dpt=67 proto=17 deviceOutboundInterface=255 deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:21 app=BOOTPS (UDP) cs1Label=RuleID cs1=605.0 +CEF:0|FORCEPOINT|Firewall|unknown|70020|Connection_Refused|0|deviceExternalId=Firewall-1 node 1 dvc=10.1.1.1 dvchost=10.1.1.1 src=172.16.1.1 dst=192.168.1.1 proto=1 deviceOutboundInterface=255 act=Refuse deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:23 app=Echo Request (No Code) cs1Label=RuleID cs1=601.0 +CEF:0|FORCEPOINT|Firewall|unknown|70021|Connection_Closed|0|deviceExternalId=Firewall-6 node 1 dvc=10.1.1.6 dvchost=10.1.1.6 proto=6 deviceOutboundInterface=255 destinationServiceName=YouTube suser=alice deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:20 app=TCP in=32526 out=27366 +CEF:0|FORCEPOINT|Firewall|unknown|72714|ECA_Metadata_login|0|deviceExternalId=Firewall-3 node 1 dvc=10.1.1.3 dvchost=10.1.1.3 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:33 +CEF:0|FORCEPOINT|Firewall|unknown|72715|ECA_Metadata_logout|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:31 +CEF:0|FORCEPOINT|Firewall|unknown|72716|ECA_Metadata_system_metadata_received|0|deviceExternalId=Firewall-8 node 1 dvc=10.1.1.8 dvchost=10.1.1.8 src=172.16.2.1 suser=alice deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:26 +CEF:0|FORCEPOINT|Firewall|6.6.1|78002|TLS connection state|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=TLS: Couldn't establish TLS connection (11, N/A) deviceFacility=Management rt=Jan 17 2020 08:52:09 + + + diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json new file mode 100644 index 00000000000..b421822914d --- /dev/null +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json @@ -0,0 +1,398 @@ +[ + { + "cef.device.event_class_id": "0", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "6.6.1", + "cef.extensions.deviceAddress": "10.1.1.40", + "cef.extensions.deviceExternalId": "Master FW node 1", + "cef.extensions.deviceFacility": "Logging System", + "cef.extensions.deviceHostName": "10.1.1.40", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:10.000Z", + "cef.extensions.message": "log server connection established", + "cef.name": "Generic", + "cef.severity": "0", + "cef.version": "0", + "event.code": "0", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|0|Generic|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=log server connection established deviceFacility=Logging System rt=Jan 17 2020 08:52:10", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "message": "log server connection established", + "observer.hostname": "10.1.1.40", + "observer.ip": "10.1.1.40", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "6.6.1", + "service.type": "cef", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "9005", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "6.6.1", + "cef.extensions.deviceAddress": "10.1.1.40", + "cef.extensions.deviceExternalId": "Master FW node 1", + "cef.extensions.deviceFacility": "Management", + "cef.extensions.deviceHostName": "10.1.1.40", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z", + "cef.extensions.message": "Communication error: No route to host (-3, 5, 0)", + "cef.name": "FW_Communication-Communication-Error", + "cef.severity": "0", + "cef.version": "0", + "event.code": "9005", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|9005|FW_Communication-Communication-Error|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=Communication error: No route to host (-3, 5, 0) deviceFacility=Management rt=Jan 17 2020 08:52:09", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 202, + "message": "Communication error: No route to host (-3, 5, 0)", + "observer.hostname": "10.1.1.40", + "observer.ip": "10.1.1.40", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "6.6.1", + "service.type": "cef", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "70018", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "6.6.1", + "cef.extensions.applicationProtocol": "Dest. Unreachable (Host Unreachable)", + "cef.extensions.destinationAddress": "10.1.1.40", + "cef.extensions.deviceAction": "Allow", + "cef.extensions.deviceAddress": "10.1.1.40", + "cef.extensions.deviceCustomString1": "2097157.1", + "cef.extensions.deviceCustomString1Label": "RuleID", + "cef.extensions.deviceExternalId": "Master FW node 1", + "cef.extensions.deviceFacility": "Packet Filtering", + "cef.extensions.deviceHostName": "10.1.1.40", + "cef.extensions.deviceOutboundInterface": "255", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z", + "cef.extensions.message": "Referred connection: 10.1.1.40 -> 10.37.133.35 frag=0x4000 TCP 47413->3020", + "cef.extensions.sourceAddress": "10.37.205.252", + "cef.extensions.transportProtocol": "1", + "cef.name": "Connection_Allowed", + "cef.severity": "0", + "cef.version": "0", + "destination.ip": "10.1.1.40", + "event.action": "Allow", + "event.code": "70018", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|70018|Connection_Allowed|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 src=10.37.205.252 dst=10.1.1.40 proto=1 deviceOutboundInterface=255 act=Allow msg=Referred connection: 10.1.1.40 -> 10.37.133.35 frag\\=0x4000 TCP 47413->3020 deviceFacility=Packet Filtering rt=Jan 17 2020 08:52:09 app=Dest. Unreachable (Host Unreachable) cs1Label=RuleID cs1=2097157.1", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 447, + "message": "Referred connection: 10.1.1.40 -> 10.37.133.35 frag=0x4000 TCP 47413->3020", + "network.application": "Dest. Unreachable (Host Unreachable)", + "network.community_id": "1:jVNka6fvdh9Qms3nSigb93hGP6U=", + "network.transport": "1", + "observer.hostname": "10.1.1.40", + "observer.ip": "10.1.1.40", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "6.6.1", + "rule.id": "2097157.1", + "service.type": "cef", + "source.ip": "10.37.205.252", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "70019", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.applicationProtocol": "BOOTPS (UDP)", + "cef.extensions.destinationAddress": "255.255.255.255", + "cef.extensions.destinationPort": 67, + "cef.extensions.deviceAddress": "10.1.1.10", + "cef.extensions.deviceCustomString1": "605.0", + "cef.extensions.deviceCustomString1Label": "RuleID", + "cef.extensions.deviceExternalId": "Firewall-10 node 1", + "cef.extensions.deviceFacility": "Packet Filtering", + "cef.extensions.deviceHostName": "10.1.1.10", + "cef.extensions.deviceOutboundInterface": "255", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:21.000Z", + "cef.extensions.sourceAddress": "172.16.1.1", + "cef.extensions.sourcePort": 68, + "cef.extensions.transportProtocol": "17", + "cef.name": "Connection_Discarded", + "cef.severity": "0", + "cef.version": "0", + "destination.ip": "255.255.255.255", + "destination.port": 67, + "event.code": "70019", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70019|Connection_Discarded|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=172.16.1.1 dst=255.255.255.255 spt=68 dpt=67 proto=17 deviceOutboundInterface=255 deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:21 app=BOOTPS (UDP) cs1Label=RuleID cs1=605.0", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 857, + "message": "Connection_Discarded", + "network.application": "BOOTPS (UDP)", + "network.community_id": "1:gRGAPcxUiQY+cM2V/f6dU0AJnuI=", + "network.transport": "17", + "observer.hostname": "10.1.1.10", + "observer.ip": "10.1.1.10", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "rule.id": "605.0", + "service.type": "cef", + "source.ip": "172.16.1.1", + "source.port": 68, + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "70020", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.applicationProtocol": "Echo Request (No Code)", + "cef.extensions.destinationAddress": "192.168.1.1", + "cef.extensions.deviceAction": "Refuse", + "cef.extensions.deviceAddress": "10.1.1.1", + "cef.extensions.deviceCustomString1": "601.0", + "cef.extensions.deviceCustomString1Label": "RuleID", + "cef.extensions.deviceExternalId": "Firewall-1 node 1", + "cef.extensions.deviceFacility": "Packet Filtering", + "cef.extensions.deviceHostName": "10.1.1.1", + "cef.extensions.deviceOutboundInterface": "255", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:23.000Z", + "cef.extensions.sourceAddress": "172.16.1.1", + "cef.extensions.transportProtocol": "1", + "cef.name": "Connection_Refused", + "cef.severity": "0", + "cef.version": "0", + "destination.ip": "192.168.1.1", + "event.action": "Refuse", + "event.code": "70020", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70020|Connection_Refused|0|deviceExternalId=Firewall-1 node 1 dvc=10.1.1.1 dvchost=10.1.1.1 src=172.16.1.1 dst=192.168.1.1 proto=1 deviceOutboundInterface=255 act=Refuse deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:23 app=Echo Request (No Code) cs1Label=RuleID cs1=601.0", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 1173, + "message": "Connection_Refused", + "network.application": "Echo Request (No Code)", + "network.community_id": "1:rdTu3DxOTXebXEr+rcV80Pk9a1s=", + "network.transport": "1", + "observer.hostname": "10.1.1.1", + "observer.ip": "10.1.1.1", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "rule.id": "601.0", + "service.type": "cef", + "source.ip": "172.16.1.1", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "70021", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.applicationProtocol": "TCP", + "cef.extensions.bytesIn": 32526, + "cef.extensions.bytesOut": 27366, + "cef.extensions.destinationServiceName": "YouTube", + "cef.extensions.deviceAddress": "10.1.1.6", + "cef.extensions.deviceExternalId": "Firewall-6 node 1", + "cef.extensions.deviceFacility": "Packet Filtering", + "cef.extensions.deviceHostName": "10.1.1.6", + "cef.extensions.deviceOutboundInterface": "255", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:20.000Z", + "cef.extensions.sourceUserName": "alice", + "cef.extensions.transportProtocol": "6", + "cef.name": "Connection_Closed", + "cef.severity": "0", + "cef.version": "0", + "destination.bytes": 27366, + "destination.service.name": "YouTube", + "event.code": "70021", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70021|Connection_Closed|0|deviceExternalId=Firewall-6 node 1 dvc=10.1.1.6 dvchost=10.1.1.6 proto=6 deviceOutboundInterface=255 destinationServiceName=YouTube suser=alice deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:20 app=TCP in=32526 out=27366", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 1486, + "message": "Connection_Closed", + "network.application": "TCP", + "network.transport": "6", + "observer.hostname": "10.1.1.6", + "observer.ip": "10.1.1.6", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "service.type": "cef", + "source.bytes": 32526, + "source.user.name": "alice", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "72714", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.deviceAddress": "10.1.1.3", + "cef.extensions.deviceExternalId": "Firewall-3 node 1", + "cef.extensions.deviceFacility": "Endpoint Context Agent", + "cef.extensions.deviceHostName": "10.1.1.3", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:33.000Z", + "cef.extensions.sourceAddress": "192.168.1.1", + "cef.extensions.sourceUserName": "bob", + "cef.name": "ECA_Metadata_login", + "cef.severity": "0", + "cef.version": "0", + "event.code": "72714", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72714|ECA_Metadata_login|0|deviceExternalId=Firewall-3 node 1 dvc=10.1.1.3 dvchost=10.1.1.3 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:33", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 1773, + "message": "ECA_Metadata_login", + "observer.hostname": "10.1.1.3", + "observer.ip": "10.1.1.3", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "service.type": "cef", + "source.ip": "192.168.1.1", + "source.user.name": "bob", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "72715", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.deviceAddress": "10.1.1.10", + "cef.extensions.deviceExternalId": "Firewall-10 node 1", + "cef.extensions.deviceFacility": "Endpoint Context Agent", + "cef.extensions.deviceHostName": "10.1.1.10", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:31.000Z", + "cef.extensions.sourceAddress": "192.168.1.1", + "cef.extensions.sourceUserName": "bob", + "cef.name": "ECA_Metadata_logout", + "cef.severity": "0", + "cef.version": "0", + "event.code": "72715", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72715|ECA_Metadata_logout|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:31", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 1987, + "message": "ECA_Metadata_logout", + "observer.hostname": "10.1.1.10", + "observer.ip": "10.1.1.10", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "service.type": "cef", + "source.ip": "192.168.1.1", + "source.user.name": "bob", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "72716", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.deviceAddress": "10.1.1.8", + "cef.extensions.deviceExternalId": "Firewall-8 node 1", + "cef.extensions.deviceFacility": "Endpoint Context Agent", + "cef.extensions.deviceHostName": "10.1.1.8", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:26.000Z", + "cef.extensions.sourceAddress": "172.16.2.1", + "cef.extensions.sourceUserName": "alice", + "cef.name": "ECA_Metadata_system_metadata_received", + "cef.severity": "0", + "cef.version": "0", + "event.code": "72716", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72716|ECA_Metadata_system_metadata_received|0|deviceExternalId=Firewall-8 node 1 dvc=10.1.1.8 dvchost=10.1.1.8 src=172.16.2.1 suser=alice deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:26", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 2205, + "message": "ECA_Metadata_system_metadata_received", + "observer.hostname": "10.1.1.8", + "observer.ip": "10.1.1.8", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "service.type": "cef", + "source.ip": "172.16.2.1", + "source.user.name": "alice", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "78002", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "6.6.1", + "cef.extensions.deviceAddress": "10.1.1.40", + "cef.extensions.deviceExternalId": "Master FW node 1", + "cef.extensions.deviceFacility": "Management", + "cef.extensions.deviceHostName": "10.1.1.40", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z", + "cef.extensions.message": "TLS: Couldn't establish TLS connection (11, N/A)", + "cef.name": "TLS connection state", + "cef.severity": "0", + "cef.version": "0", + "event.code": "78002", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|78002|TLS connection state|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=TLS: Couldn't establish TLS connection (11, N/A) deviceFacility=Management rt=Jan 17 2020 08:52:09", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 2439, + "message": "TLS: Couldn't establish TLS connection (11, N/A)", + "observer.hostname": "10.1.1.40", + "observer.ip": "10.1.1.40", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "6.6.1", + "service.type": "cef", + "tags": [ + "cef" + ] + } +] \ No newline at end of file From df4d2ee649d495851bb9cf2774c97f3e91b9a7a3 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Wed, 29 Jan 2020 14:40:39 -0600 Subject: [PATCH 2/3] Only attempt mapping if vendor is Forcepoint - add docs on configuring SMC - only attempt mappings if vendor is FORCEPOINT --- CHANGELOG.next.asciidoc | 1 - filebeat/docs/modules/cef.asciidoc | 13 +++++++++++++ x-pack/filebeat/module/cef/_meta/docs.asciidoc | 13 +++++++++++++ x-pack/filebeat/module/cef/log/config/input.yml | 10 +++++++++- 4 files changed, 35 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9b53bbaedfc..8063081b7f4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -91,7 +91,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* - Set event.outcome field based on googlecloud audit log output. {pull}15731[15731] - Add dashboard for AWS ELB fileset. {pull}15804[15804] - - Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910] *Heartbeat* diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 8d77f147853..45e59b4a41a 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -40,6 +40,18 @@ The UDP port to listen for syslog traffic. Defaults to `9003` NOTE: Ports below 1024 require Filebeat to run as root. +[float] +==== Forcepoint NGFW Security Management Center + +This module will process CEF data from Forcepoint NGFW Security +Management Center (SMC). In the SMC configure the logs to be +forwarded to the address set in `var.syslog_host` in format CEF and +service UDP on `var.syslog_port`. Instructions can be found in +https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for +configuring the SMC. Testing was done with CEF logs from SMC version +6.6.1 + + :has-dashboards!: :fileset_ex!: @@ -47,6 +59,7 @@ NOTE: Ports below 1024 require Filebeat to run as root. :modulename!: + [float] === Fields diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index 89b63cc88bd..73cabff30f8 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -35,8 +35,21 @@ The UDP port to listen for syslog traffic. Defaults to `9003` NOTE: Ports below 1024 require Filebeat to run as root. +[float] +==== Forcepoint NGFW Security Management Center + +This module will process CEF data from Forcepoint NGFW Security +Management Center (SMC). In the SMC configure the logs to be +forwarded to the address set in `var.syslog_host` in format CEF and +service UDP on `var.syslog_port`. Instructions can be found in +https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for +configuring the SMC. Testing was done with CEF logs from SMC version +6.6.1 + + :has-dashboards!: :fileset_ex!: :modulename!: + diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index 86d00fb6484..27d4640fb71 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -27,7 +27,7 @@ processors: - script: lang: javascript source: >- - function process(evt) { + function forcepoint_mappings(evt) { switch (evt.Get("cef.extensions.deviceCustomString1Label")) { case "RuleID": evt.Put("rule.id", evt.Get("cef.extensions.deviceCustomString1")); @@ -35,3 +35,11 @@ processors: return; } } + function process(evt) { + switch (evt.Get("cef.device.vendor")) { + case "FORCEPOINT": + forcepoint_mappings(evt); + default: + return; + } + } From 616a208b76140e554d396ef94a825054ea59bbca Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Fri, 31 Jan 2020 13:55:15 -0600 Subject: [PATCH 3/3] Switch to ingest pipeline, add all documented custom mappings --- filebeat/docs/fields.asciidoc | 20 +++++++++++++- filebeat/docs/modules/cef.asciidoc | 3 ++- .../filebeat/module/cef/_meta/docs.asciidoc | 3 ++- x-pack/filebeat/module/cef/_meta/fields.yml | 5 ++-- x-pack/filebeat/module/cef/fields.go | 2 +- .../filebeat/module/cef/log/_meta/fields.yml | 10 +++++++ .../filebeat/module/cef/log/config/input.yml | 19 ------------- .../module/cef/log/ingest/fp-pipeline.yml | 27 +++++++++++++++++++ .../module/cef/log/ingest/pipeline.yml | 4 ++- x-pack/filebeat/module/cef/log/manifest.yml | 5 +++- 10 files changed, 71 insertions(+), 27 deletions(-) create mode 100644 x-pack/filebeat/module/cef/log/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 98dc6ff13e3..701eded16af 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -4655,9 +4655,27 @@ type: keyword [[exported-fields-cef-module]] == CEF fields -Module for receiving CEF logs over Syslog. The module does not add fields beyond what the decode_cef processor provides. +Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. + +[float] +=== forcepoint + +Fields for Forcepoint Custom String mappings + + + +*`forcepoint.virus_id`*:: ++ +-- +Virus ID + + +type: keyword + +-- + [[exported-fields-cisco]] == Cisco fields diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 45e59b4a41a..97c0469daa5 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -49,7 +49,8 @@ forwarded to the address set in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`. Instructions can be found in https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for configuring the SMC. Testing was done with CEF logs from SMC version -6.6.1 +6.6.1 and custom string mappings were taken from 'CEF Connector +Configuration Guide' dated December 5, 2011. :has-dashboards!: diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index 73cabff30f8..19b2f5eb1b3 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -44,7 +44,8 @@ forwarded to the address set in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`. Instructions can be found in https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for configuring the SMC. Testing was done with CEF logs from SMC version -6.6.1 +6.6.1 and custom string mappings were taken from 'CEF Connector +Configuration Guide' dated December 5, 2011. :has-dashboards!: diff --git a/x-pack/filebeat/module/cef/_meta/fields.yml b/x-pack/filebeat/module/cef/_meta/fields.yml index 6cd823e6bb8..1ea96f71d81 100644 --- a/x-pack/filebeat/module/cef/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/_meta/fields.yml @@ -1,6 +1,7 @@ - key: cef-module title: CEF description: > - Module for receiving CEF logs over Syslog. The module does not add fields - beyond what the decode_cef processor provides. + Module for receiving CEF logs over Syslog. The module adds vendor + specific fields in addition to the fields the decode_cef processor + provides. fields: diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index 194c5dbe918..19312fd7aca 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJwszDEOwjAQRNHep5gLJAdwQYOgo4IeBe84sTDeyGuCcnuUQDfFn9fhydUjMHYvlXemA1pqmR7H09kBQgs1zS1p8Tg4ALjsIaJWVAamJZVxq5F1NOjCiutqWccet4n4uRCloWjDIIKYmMV27cFVi+AzDQ1tIoRBhffAiLlqoJnWbS1JaL3D/+vdNwAA//95Jj6g" + return "eJx8kMFq8zAQhO9+inmB5AF0+C/5a+ihp5RejZFWzhJZK7Syi9++yImDk0L3JHZGsx9zwJUWA0v+MIqbAjVA4RLI4PTWNoAjtZlTYYkG/xoA+FiN8JKRyRLPHIfqRpBBITNlnBcNMhzxeSHcctE7p5gpOslriiay7NnCMwWn4FgtXA+hCMqFNqU+HVlx1FnySFksqd5jUpaZHemxwd1v1n2dA2I/kqmklpJwLA8JKEsigyHLlHZbR76fQunWKAPfB6Un+Vcb27Q32NpK+7iH06RFRpxLriWNfUocB919fGXec8+cJ+3YPYkb+ZWWb8mv2h+Adb5qIt7/Nz8BAAD//0k3k/4=" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml new file mode 100644 index 00000000000..0d24bf8458f --- /dev/null +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -0,0 +1,10 @@ +- name: forcepoint + type: group + default_field: false + description: > + Fields for Forcepoint Custom String mappings + fields: + - name: virus_id + type: keyword + description: > + Virus ID diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index 27d4640fb71..91439736fab 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -24,22 +24,3 @@ processors: - decode_cef: field: event.original - community_id: - - script: - lang: javascript - source: >- - function forcepoint_mappings(evt) { - switch (evt.Get("cef.extensions.deviceCustomString1Label")) { - case "RuleID": - evt.Put("rule.id", evt.Get("cef.extensions.deviceCustomString1")); - default: - return; - } - } - function process(evt) { - switch (evt.Get("cef.device.vendor")) { - case "FORCEPOINT": - forcepoint_mappings(evt); - default: - return; - } - } diff --git a/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml new file mode 100644 index 00000000000..3fe032c00fb --- /dev/null +++ b/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml @@ -0,0 +1,27 @@ +--- +description: Pipeline for Forcepoint CEF + +processors: + # cs1 is ruleID + - set: + field: rule.id + value: "{{cef.extensions.deviceCustomString1}}" + if: "ctx.cef?.extensions?.deviceCustomString1 != null" + + # cs2 is natRuleID + - set: + field: rule.id + value: "{{cef.extensions.deviceCustomString2}}" + if: "ctx.cef?.extensions?.deviceCustomString2 != null" + + # cs3 is VulnerabilityReference + - set: + field: vulnerability.reference + value: "{{cef.extensions.deviceCustomString3}}" + if: "ctx.cef?.extensions?.deviceCustomString3 != null" + + # cs4 is virusID + - set: + field: cef.forcepoint.virus_id + value: "{{cef.extensions.deviceCustomString4}}" + if: "ctx.cef?.extensions?.deviceCustomString4 != null" diff --git a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml index fd520132cca..2600dbeec08 100644 --- a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml @@ -45,7 +45,9 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - + - pipeline: + name: '{< IngestPipeline "fp-pipeline" >}' + if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/cef/log/manifest.yml b/x-pack/filebeat/module/cef/log/manifest.yml index 049b963a4aa..670a3188a4e 100644 --- a/x-pack/filebeat/module/cef/log/manifest.yml +++ b/x-pack/filebeat/module/cef/log/manifest.yml @@ -13,7 +13,10 @@ var: - name: input default: syslog -ingest_pipeline: ingest/pipeline.yml +ingest_pipeline: + - ingest/pipeline.yml + - ingest/fp-pipeline.yml + input: config/input.yml requires.processors: