diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log new file mode 100644 index 00000000000..c2a7b014e15 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log @@ -0,0 +1 @@ +<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1594646954"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-config.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-config.json new file mode 100644 index 00000000000..f71947c2f04 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json new file mode 100644 index 00000000000..0a04b9aef42 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json @@ -0,0 +1,75 @@ +{ + "expected": [ + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 514, + "ip": "192.168.1.153" + }, + "destination": { + "port": 514, + "ip": "192.168.1.153" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 43103, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "syslog", + "iana_number": "17", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-07-13T13:29:14.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.168.1.153" + ] + }, + "client": { + "port": 43103, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:40.422473300Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log new file mode 100644 index 00000000000..9e86bccac9c --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log @@ -0,0 +1,21 @@ +<134>1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; sequencenum:"1"; version:"5"; product:"System Monitor"; sys_message::"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"] +<134>1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; sequencenum:"2"; version:"5"; product:"System Monitor"; sys_message::"installed Standard"] +<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46915"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] +<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"194.29.39.10"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61794"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26680"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36749"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] +<134>1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"] +<134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61180"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10860"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55039"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"] +<134>1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; description:"Contracts"; product:"Security Gateway/Management"; status:"Started"; update_service:"1"; version:"1.0"] +<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51894"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"11157"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47919"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] +<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"] +<134>1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] +<134>1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; db_ver:"20033003"; description:"Gateway was updated with database version: 22032001."; product:"Application Control"; severity:"1"; update_status:"updated"] +<134>1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; db_ver:"20033003"; description:"Gateway was updated with database version: 22032001."; product:"URL Filtering"; severity:"1"; update_status:"updated"] +<134>1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"] +<134>1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.41.118"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"65488"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"] +<134>1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] +<134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"] +<134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"] +<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-config.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-config.json new file mode 100644 index 00000000000..f71947c2f04 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json new file mode 100644 index 00000000000..8d99d8e98ba --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -0,0 +1,1279 @@ +{ + "expected": [ + { + "checkpoint": { + "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "interface": { + "name": "daemon" + } + }, + "product": "System Monitor", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-29T13:19:20.000Z", + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666672800Z", + "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", + "category": [ + "network" + ], + "kind": "event", + "module": "checkpoint" + }, + "network": { + "direction": "inbound" + } + }, + { + "checkpoint": { + "sys_message": "installed Standard" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "interface": { + "name": "daemon" + } + }, + "product": "System Monitor", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-29T13:19:21.000Z", + "event": { + "sequence": 2, + "ingested": "2020-11-19T23:29:38.666682200Z", + "id": "{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}", + "category": [ + "network" + ], + "kind": "event", + "module": "checkpoint" + }, + "network": { + "direction": "inbound" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 53, + "ip": "192.168.1.1" + }, + "destination": { + "port": 53, + "ip": "192.168.1.1" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 46915, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "domain-udp", + "iana_number": "17", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "Internal" + } + }, + "@timestamp": "2020-03-29T13:19:22.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.168.1.1" + ] + }, + "client": { + "port": 46915, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666689600Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "nat_addtnl_rulenum": "0", + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "nat_rulenum": "0", + "match_id": "1" + }, + "server": { + "port": 443, + "ip": "194.29.39.10" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "IL-TA", + "city_name": "Tel Aviv", + "country_iso_code": "IL", + "country_name": "Israel", + "region_name": "Tel Aviv", + "location": { + "lon": 34.7647, + "lat": 32.0678 + } + }, + "as": { + "number": 25046, + "organization": { + "name": "Check Point Software Technologies LTD" + } + }, + "port": 443, + "ip": "194.29.39.10" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "nat": { + "port": 26680 + }, + "port": 61794, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "https", + "iana_number": "6", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "Internal" + } + }, + "@timestamp": "2020-03-29T13:19:22.000Z", + "related": { + "ip": [ + "192.168.1.100", + "194.29.39.10" + ] + }, + "client": { + "nat": { + "port": 26680 + }, + "port": 61794, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 2, + "ingested": "2020-11-19T23:29:38.666722500Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 53, + "ip": "192.168.1.1" + }, + "destination": { + "port": 53, + "ip": "192.168.1.1" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 36749, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "domain-udp", + "iana_number": "17", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "Internal" + } + }, + "@timestamp": "2020-03-29T13:19:22.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.168.1.1" + ] + }, + "client": { + "port": 36749, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 3, + "ingested": "2020-11-19T23:29:38.666727700Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "description": "Contracts", + "comment": "No update was found", + "status": "Finished" + }, + "observer": { + "name": "192.168.1.100", + "product": "Security Gateway/Management", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-29T23:18:44.000Z", + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666734100Z", + "id": "{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}", + "category": [ + "network" + ], + "kind": "event", + "module": "checkpoint" + }, + "network": { + "direction": "inbound" + } + }, + { + "checkpoint": { + "nat_addtnl_rulenum": "0", + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "nat_rulenum": "0", + "match_id": "1" + }, + "server": { + "port": 80, + "ip": "192.124.249.41" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 30148, + "organization": { + "name": "Sucuri" + } + }, + "port": 80, + "ip": "192.124.249.41" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "nat": { + "port": 10860 + }, + "port": 61180, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "http", + "iana_number": "6", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-03-29T23:18:43.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.124.249.41" + ] + }, + "client": { + "nat": { + "port": 10860 + }, + "port": 61180, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 8, + "ingested": "2020-11-19T23:29:38.666741500Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "log_delay": "1585523933", + "logid": "0", + "conn_direction": "Outgoing", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 53, + "ip": "8.8.8.8" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "ip": "8.8.8.8" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 55039, + "ip": "192.168.2.2" + }, + "network": { + "name": "Network", + "application": "domain-udp", + "iana_number": "17", + "direction": "inbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "interface": { + "name": "eth1" + } + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-29T23:18:53.000Z", + "related": { + "ip": [ + "192.168.2.2", + "8.8.8.8" + ] + }, + "client": { + "port": 55039, + "ip": "192.168.2.2" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666748700Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "description": "Contracts", + "status": "Started" + }, + "observer": { + "name": "192.168.1.100", + "product": "Security Gateway/Management", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-30T01:18:44.000Z", + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666756Z", + "id": "{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}", + "category": [ + "network" + ], + "kind": "event", + "module": "checkpoint" + }, + "network": { + "direction": "inbound" + } + }, + { + "checkpoint": { + "nat_addtnl_rulenum": "0", + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "nat_rulenum": "0", + "match_id": "1" + }, + "server": { + "port": 80, + "ip": "192.124.249.36" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 30148, + "organization": { + "name": "Sucuri" + } + }, + "port": 80, + "ip": "192.124.249.36" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "nat": { + "port": 11157 + }, + "port": 51894, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "http", + "iana_number": "6", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-03-30T01:18:46.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.124.249.36" + ] + }, + "client": { + "nat": { + "port": 11157 + }, + "port": 51894, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 2, + "ingested": "2020-11-19T23:29:38.666763200Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 53, + "ip": "192.168.1.1" + }, + "destination": { + "port": 53, + "ip": "192.168.1.1" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 47919, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "domain-udp", + "iana_number": "17", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-03-30T01:18:46.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.168.1.1" + ] + }, + "client": { + "port": 47919, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 3, + "ingested": "2020-11-19T23:29:38.666770500Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "description": "Contracts", + "comment": "No update was found", + "status": "Finished" + }, + "observer": { + "name": "192.168.1.100", + "product": "Security Gateway/Management", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-30T01:18:46.000Z", + "event": { + "sequence": 5, + "ingested": "2020-11-19T23:29:38.666778Z", + "id": "{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}", + "category": [ + "network" + ], + "kind": "event", + "module": "checkpoint" + }, + "network": { + "direction": "inbound" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 514, + "ip": "192.168.1.153" + }, + "destination": { + "port": 514, + "ip": "192.168.1.153" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 43103, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "syslog", + "iana_number": "17", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-03-30T06:12:45.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.168.1.153" + ] + }, + "client": { + "port": 43103, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 13, + "ingested": "2020-11-19T23:29:38.666785300Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "db_ver": "20033003", + "description": "Gateway was updated with database version: 22032001.", + "update_status": "updated" + }, + "observer": { + "name": "192.168.1.100", + "product": "Application Control", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-30T06:12:51.000Z", + "event": { + "severity": 1, + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666792600Z", + "kind": "event", + "module": "checkpoint", + "id": "{0x5e818de4,0x0,0x6401a8c0,0x108620ab}", + "category": [ + "network" + ] + }, + "network": { + "direction": "outbound" + } + }, + { + "checkpoint": { + "db_ver": "20033003", + "description": "Gateway was updated with database version: 22032001.", + "update_status": "updated" + }, + "observer": { + "name": "192.168.1.100", + "product": "URL Filtering", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-30T06:12:51.000Z", + "event": { + "severity": 1, + "sequence": 2, + "ingested": "2020-11-19T23:29:38.666799800Z", + "kind": "event", + "module": "checkpoint", + "id": "{0x5e818de4,0x1,0x6401a8c0,0x108620ab}", + "category": [ + "network" + ] + }, + "network": { + "direction": "outbound" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 138, + "ip": "192.168.1.255" + }, + "destination": { + "port": 138, + "ip": "192.168.1.255" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 138, + "ip": "192.168.1.1" + }, + "network": { + "name": "Network", + "application": "nbdatagram", + "iana_number": "17", + "direction": "inbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "zone": "Local" + } + }, + "@timestamp": "2020-03-30T06:13:21.000Z", + "related": { + "ip": [ + "192.168.1.1", + "192.168.1.255" + ] + }, + "client": { + "port": 138, + "ip": "192.168.1.1" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666807100Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e818e01,0x0,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "tcp_packet_out_of_state": "First packet isn't SYN", + "tcp_flags": "FIN-ACK", + "logid": "1" + }, + "server": { + "port": 80, + "ip": "2.21.41.118" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "France", + "location": { + "lon": 2.3387, + "lat": 48.8582 + }, + "country_iso_code": "FR" + }, + "as": { + "number": 16625, + "organization": { + "name": "Akamai Technologies, Inc." + } + }, + "port": 80, + "ip": "2.21.41.118" + }, + "source": { + "port": 65488, + "ip": "192.168.1.100" + }, + "network": { + "iana_number": "6", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + } + } + }, + "@timestamp": "2020-03-30T06:13:42.000Z", + "related": { + "ip": [ + "192.168.1.100", + "2.21.41.118" + ] + }, + "client": { + "port": 65488, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666814500Z", + "kind": "event", + "module": "checkpoint", + "action": "Drop", + "id": "{0x5e818e17,0x0,0x6401a8c0,0x108620ab}", + "category": [ + "network" + ] + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 514, + "ip": "192.168.1.153" + }, + "destination": { + "port": 514, + "ip": "192.168.1.153" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 43103, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "syslog", + "iana_number": "17", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-03-30T07:18:59.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.168.1.153" + ] + }, + "client": { + "port": 43103, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666821700Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e819d63,0x0,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 137, + "ip": "192.168.1.255" + }, + "destination": { + "port": 137, + "ip": "192.168.1.255" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 50024, + "ip": "192.168.1.196" + }, + "network": { + "name": "Network", + "application": "nbname", + "iana_number": "17", + "direction": "inbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "zone": "Local" + } + }, + "@timestamp": "2020-03-30T07:19:22.000Z", + "related": { + "ip": [ + "192.168.1.196", + "192.168.1.255" + ] + }, + "client": { + "port": 50024, + "ip": "192.168.1.196" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666829Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 22, + "ip": "192.168.1.100" + }, + "destination": { + "port": 22, + "ip": "192.168.1.100" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 60226, + "ip": "192.168.1.205" + }, + "network": { + "name": "Network", + "application": "ssh", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "zone": "Local" + } + }, + "@timestamp": "2020-03-30T07:20:33.000Z", + "related": { + "ip": [ + "192.168.1.205", + "192.168.1.100" + ] + }, + "client": { + "port": 60226, + "ip": "192.168.1.205" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666836200Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "server": { + "port": 514, + "ip": "192.168.1.153" + }, + "destination": { + "port": 514, + "ip": "192.168.1.153" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 43103, + "ip": "192.168.1.100" + }, + "network": { + "name": "Network", + "application": "syslog", + "iana_number": "17", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-03-30T07:20:35.000Z", + "related": { + "ip": [ + "192.168.1.100", + "192.168.1.153" + ] + }, + "client": { + "port": 43103, + "ip": "192.168.1.100" + }, + "event": { + "sequence": 1, + "ingested": "2020-11-19T23:29:38.666886500Z", + "kind": "event", + "module": "checkpoint", + "action": "Accept", + "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 02a9b79a265..e4332188629 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -310,9 +310,11 @@ processors: type: long ignore_failure: true ignore_missing: true -- rename: +- convert: field: checkpoint.severity target_field: event.severity + type: long + ignore_failure: true ignore_missing: true - rename: field: checkpoint.action @@ -801,6 +803,7 @@ processors: - checkpoint.xlatedst - checkpoint.uid - checkpoint.time + - checkpoint.severity - syslog5424_ts ignore_missing: true on_failure: diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index e1f57de37e3..9797edff848 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -1607,3 +1607,14 @@ - name: trusted_domain type: keyword description: In case of phishing event, the domain, which the attacker was impersonating. + - name: comment + type: keyword + - name: conn_direction + type: keyword + description: Connection direction + - name: db_ver + type: keyword + description: Database version + - name: update_status + type: keyword + description: Status of database update diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 7deb91e4cbf..7c4adc2f24d 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -63,8 +63,10 @@ Consists of log entries from the Log Exporter in the Syslog format. | checkpoint.client_type_os | Client OS detected in the HTTP request. | keyword | | checkpoint.client_version | Build version of SandBlast Agent client installed on the computer. | keyword | | checkpoint.cluster_info | Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. | keyword | +| checkpoint.comment | | keyword | | checkpoint.community | Community name for the IPSec key and the use of the IKEv. | keyword | | checkpoint.confidence_level | Confidence level determined by ThreatCloud. | integer | +| checkpoint.conn_direction | Connection direction | keyword | | checkpoint.connection_uid | Calculation of md5 of the IP and user name as UID. | keyword | | checkpoint.connectivity_level | Log for a new connection in wire mode. | keyword | | checkpoint.conns_amount | Connections amount of aggregated log info. | integer | @@ -79,6 +81,7 @@ Consists of log entries from the Log Exporter in the Syslog format. | checkpoint.cvpn_category | Mobile Access application type. | keyword | | checkpoint.cvpn_resource | Mobile Access application. | keyword | | checkpoint.data_type_name | Data type in rulebase that was matched. | keyword | +| checkpoint.db_ver | Database version | keyword | | checkpoint.dce-rpc_interface_uuid | Log for new RPC state - UUID values | keyword | | checkpoint.delivery_time | Timestamp of when email was delivered (MTA finished handling the email. | keyword | | checkpoint.desc | Override application description. | keyword | @@ -388,6 +391,7 @@ Consists of log entries from the Log Exporter in the Syslog format. | checkpoint.unique_detected_day | Detected virus for a specific host during the last day. | integer | | checkpoint.unique_detected_hour | Detected virus for a specific host during the last hour. | integer | | checkpoint.unique_detected_week | Detected virus for a specific host during the last week. | integer | +| checkpoint.update_status | Status of database update | keyword | | checkpoint.url | Translated URL. | keyword | | checkpoint.user | Source user name. | keyword | | checkpoint.user_agent | String identifying requesting software user agent. | keyword | @@ -509,7 +513,7 @@ Consists of log entries from the Log Exporter in the Syslog format. | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 592a99100db..3925838036c 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: 0.2.3 +version: 0.2.4 release: experimental description: Check Point Integration type: integration