Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Add CustomString mapping to CEF for Forcepoint NGFW #15910

Merged
merged 4 commits into from
Feb 5, 2020
Merged

[Filebeat] Add CustomString mapping to CEF for Forcepoint NGFW #15910

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
02058e0
Add CustomString mapping to CEF for Forcepoint NGFW
leehinman Jan 27, 2020
df4d2ee
Only attempt mapping if vendor is Forcepoint
leehinman Jan 29, 2020
616a208
Switch to ingest pipeline, add all documented custom mappings
leehinman Jan 31, 2020
7827602
Merge branch 'master' into 14663_fp_ngfw_smc_cef
leehinman Feb 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Filebeat*
- Set event.outcome field based on googlecloud audit log output. {pull}15731[15731]
- Add dashboard for AWS ELB fileset. {pull}15804[15804]

- Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shift this line up by one.


*Heartbeat*

Expand Down
13 changes: 13 additions & 0 deletions filebeat/docs/modules/cef.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,26 @@ The UDP port to listen for syslog traffic. Defaults to `9003`

NOTE: Ports below 1024 require Filebeat to run as root.

[float]
==== Forcepoint NGFW Security Management Center

This module will process CEF data from Forcepoint NGFW Security
Management Center (SMC). In the SMC configure the logs to be
forwarded to the address set in `var.syslog_host` in format CEF and
service UDP on `var.syslog_port`. Instructions can be found in
https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for
configuring the SMC. Testing was done with CEF logs from SMC version
6.6.1


:has-dashboards!:

:fileset_ex!:

:modulename!:



[float]
=== Fields

Expand Down
13 changes: 13 additions & 0 deletions x-pack/filebeat/module/cef/_meta/docs.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,21 @@ The UDP port to listen for syslog traffic. Defaults to `9003`

NOTE: Ports below 1024 require Filebeat to run as root.

[float]
==== Forcepoint NGFW Security Management Center

This module will process CEF data from Forcepoint NGFW Security
Management Center (SMC). In the SMC configure the logs to be
forwarded to the address set in `var.syslog_host` in format CEF and
service UDP on `var.syslog_port`. Instructions can be found in
https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for
configuring the SMC. Testing was done with CEF logs from SMC version
6.6.1


:has-dashboards!:

:fileset_ex!:

:modulename!:

19 changes: 19 additions & 0 deletions x-pack/filebeat/module/cef/log/config/input.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,22 @@ processors:
- decode_cef:
field: event.original
- community_id:
- script:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is a translation table specific to forcepoint? If so then I think it would be good to add a when condition so that the script only executes for forcepoint logs. An example would be when.equals.cef.device.vendor: FORCEPOINT.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea. I was waffling on this, the ruleid match seemed pretty generic, but the when is safer.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a related note, I think having support in the processor for directly creating key-value pairs from the custom label and value fields would be a nice future enhancement. Like automatically create cef.custom.string.mylabel: "myvalue" and if the label is an ECS field like rule.id (and the value is the proper data type) then just go ahead and populate the field.

lang: javascript
source: >-
function forcepoint_mappings(evt) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I liked what you had before, but just wanted a when condition added. The primary benefit to when is that it avoids invoking the javascript VM at all which I assume is a performance improvement over doing the check in JS for non-forcepoint logs.

switch (evt.Get("cef.extensions.deviceCustomString1Label")) {
case "RuleID":
evt.Put("rule.id", evt.Get("cef.extensions.deviceCustomString1"));
default:
return;
}
}
function process(evt) {
switch (evt.Get("cef.device.vendor")) {
case "FORCEPOINT":
forcepoint_mappings(evt);
default:
return;
}
}
13 changes: 13 additions & 0 deletions x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
CEF:0|FORCEPOINT|Firewall|6.6.1|0|Generic|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=log server connection established deviceFacility=Logging System rt=Jan 17 2020 08:52:10
CEF:0|FORCEPOINT|Firewall|6.6.1|9005|FW_Communication-Communication-Error|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=Communication error: No route to host (-3, 5, 0) deviceFacility=Management rt=Jan 17 2020 08:52:09
CEF:0|FORCEPOINT|Firewall|6.6.1|70018|Connection_Allowed|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 src=10.37.205.252 dst=10.1.1.40 proto=1 deviceOutboundInterface=255 act=Allow msg=Referred connection: 10.1.1.40 -> 10.37.133.35 frag\=0x4000 TCP 47413->3020 deviceFacility=Packet Filtering rt=Jan 17 2020 08:52:09 app=Dest. Unreachable (Host Unreachable) cs1Label=RuleID cs1=2097157.1
CEF:0|FORCEPOINT|Firewall|unknown|70019|Connection_Discarded|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=172.16.1.1 dst=255.255.255.255 spt=68 dpt=67 proto=17 deviceOutboundInterface=255 deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:21 app=BOOTPS (UDP) cs1Label=RuleID cs1=605.0
CEF:0|FORCEPOINT|Firewall|unknown|70020|Connection_Refused|0|deviceExternalId=Firewall-1 node 1 dvc=10.1.1.1 dvchost=10.1.1.1 src=172.16.1.1 dst=192.168.1.1 proto=1 deviceOutboundInterface=255 act=Refuse deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:23 app=Echo Request (No Code) cs1Label=RuleID cs1=601.0
CEF:0|FORCEPOINT|Firewall|unknown|70021|Connection_Closed|0|deviceExternalId=Firewall-6 node 1 dvc=10.1.1.6 dvchost=10.1.1.6 proto=6 deviceOutboundInterface=255 destinationServiceName=YouTube suser=alice deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:20 app=TCP in=32526 out=27366
CEF:0|FORCEPOINT|Firewall|unknown|72714|ECA_Metadata_login|0|deviceExternalId=Firewall-3 node 1 dvc=10.1.1.3 dvchost=10.1.1.3 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:33
CEF:0|FORCEPOINT|Firewall|unknown|72715|ECA_Metadata_logout|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:31
CEF:0|FORCEPOINT|Firewall|unknown|72716|ECA_Metadata_system_metadata_received|0|deviceExternalId=Firewall-8 node 1 dvc=10.1.1.8 dvchost=10.1.1.8 src=172.16.2.1 suser=alice deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:26
CEF:0|FORCEPOINT|Firewall|6.6.1|78002|TLS connection state|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=TLS: Couldn't establish TLS connection (11, N/A) deviceFacility=Management rt=Jan 17 2020 08:52:09



Loading