Skip to content

Commit

Permalink
Cherry-pick elastic#16907 to 7.x: [SIEM][CEF] Add support for Check P…
Browse files Browse the repository at this point in the history 
…oint devices (elastic#17111)

* Make CEF key name mapping case-insensitive

There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to
ignore case when mapping keys to full names.

* Add missing custom CEF extensions

This adds:
 - `deviceCustomIPv6Address2(Label)`: Only 1, 3 and 4 were expected.
 - `flexNumber[12](Label)`: These two alternative custom numbers were
   dropped after V23 of the spec, but still used by some vendors.

[Maybe unnecessary] changes:

 - Changed the case of `DeviceCustomNumber2` from uppercase as
   documented) to lowercase to align with the other fields.

* CEF module: Support Check Point devices

This adds a new ingest pipeline and fields to populate from Check Point
CEF logs.

Closes elastic#16041

(cherry picked from commit f6fde2e)
  • Loading branch information
@adriansr
adriansr authored Mar 20, 2020
1 parent 87b82ef commit a4b5c4a
Show file tree
Hide file tree
Showing 17 changed files with 1,642 additions and 34 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637]
- Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212] {pull}16612[16612]
- Add `o365audit` input type for consuming events from Office 365 Management Activity API. {issue}16196[16196] {pull}16244[16244]
- Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907]

*Heartbeat*

Expand Down
Loading

0 comments on commit a4b5c4a

Please sign in to comment.