checkpoint_firewall: update count types from integer to long

Author: haetamoudi

packages/checkpoint/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.41.2"
+  changes:
+    - description: Update update_count, connection_count, aggregated_log_count types from integer to long.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15673
 - version: "1.41.1"
   changes:
     - description: Changed owners.

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log

@@ -17,3 +17,4 @@
 <134>1 2023-03-02T03:28:09Z gw-0b8ccd CheckPoint 15871 - [action:"Block"; flags:"311552"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x291ee176,0x3488469e,0xdb759c74,0xc0134e9a}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677727689"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1677720751;policy_name=Standard\]"; confidence_level:"5"; dlp_incident_uid:"{640017C9-0000-0001-27C5-C5E7C1878B89}"; dst:"81.2.69.144"; frequency:"1 days "; http_host:"sc1.checkpoint.com"; lastupdatetime:"1677727691"; log_id:"4294967295"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; method:"GET"; packet_capture_name:"src-10.0.0.3.cap"; packet_capture_time:"1677727690"; packet_capture_unique_id:"time1677727689.id640acbe0.blade04"; policy:"Standard"; policy_time:"1677720775"; portal_message:"Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 498D79F3"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"10.0.0.3"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"34416"; scope:"10.0.0.3"; service:"80"; service_id:"http"; session_id:"{0x640017c9,0x1,0x27c5c5e7,0xc1878b89}"; severity:"2"; smartdefense_profile:"Optimized"; src:"10.0.0.3"; layer_name:"Standard Threat Prevention"; layer_uuid:"{6CC286F4-87BC-412A-B231-8C63C30D978E}"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"; usercheck:"1"; usercheck_confirmation_level:"Application"; usercheck_incident_uid:"C9B778BF-CA91-A050-2673-53F9498D79F3"; usercheck_interaction_name:"Anti-Bot Blocked"; web_client_type:"Firefox"]
 <134>1 2023-03-02T03:28:09Z gw-0b8ccd CheckPoint 15871 - [action:"Block"; flags:"311552"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x291ee176,0x3488469e,0xdb759c74,0xc0134e9a}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677727689"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1677720751;policy_name=Standard\]"; confidence_level:"5"; dlp_incident_uid:"{640017C9-0000-0001-27C5-C5E7C1878B89}"; dst:"81.2.69.144"; frequency:"1 days "; http_host:"sc1.checkpoint.com"; lastupdatetime:"1677727750"; log_id:"2"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; method:"GET"; packet_capture_name:"src-10.0.0.3.cap"; packet_capture_time:"1677727690"; packet_capture_unique_id:"time1677727689.id640acbe0.blade04"; policy:"Standard"; policy_time:"1677720775"; portal_message:"Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 498D79F3"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"10.0.0.3"; received_bytes:"60"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"34416"; scope:"10.0.0.3"; sent_bytes:"0"; service:"80"; service_id:"http"; session_id:"{0x640017c9,0x1,0x27c5c5e7,0xc1878b89}"; severity:"2"; smartdefense_profile:"Optimized"; src:"10.0.0.3"; suppressed_logs:"1"; layer_name:"Standard Threat Prevention"; layer_uuid:"{6CC286F4-87BC-412A-B231-8C63C30D978E}"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"; usercheck:"1"; usercheck_confirmation_level:"Application"; usercheck_incident_uid:"C9B778BF-CA91-A050-2673-53F9498D79F3"; usercheck_interaction_name:"Anti-Bot Blocked"; web_client_type:"Firefox"]
 <134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:"Accept"; flags:"16384"; ifdir:"inbound"; ifname:"eth4"; logid:"288"; loguid:"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}"; origin:"1.2.3.4"; originsicname:"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7"; sequencenum:"9"; time:"1734597254"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\]"; aggregated_log_count:"2"; connection_count:"2"; creation_time:"1734595323"; dst:"192.168.0.10"; duration:"1931"; hll_key:"6549446380911603098"; inzone:"Internal"; last_hit_time:"1734597254"; layer_name:"Network"; layer_name:"Admin Traffic"; layer_uuid:"c135090e-7d3a-44bf-b686-1589d3183102"; layer_uuid:"42f39ab2-d932-4b6b-abbf-8b6bd519e15b"; match_id:"34"; match_id:"67108866"; parent_rule:"0"; parent_rule:"34"; rule_action:"Inline"; rule_action:"Accept"; rule_name:"Traffic Outbound"; rule_name:"Traffic outbound"; rule_uid:"31aca655-e044-4f8d-91bf-5de3505f443b"; rule_uid:"ee877954-c304-4159-bda3-e8f78ed4a4fa"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; service:"389"; service_id:"ldap_udp"; src:"192.168.20.10"; update_count:"2"]
+<134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:"Accept"; flags:"16384"; ifdir:"inbound"; ifname:"eth4"; logid:"288"; loguid:"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}"; origin:"1.2.3.4"; originsicname:"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7"; sequencenum:"9"; time:"1734597254"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\]"; aggregated_log_count:"4294947622"; connection_count:"4294947622"; creation_time:"1734595323"; dst:"192.168.0.10"; duration:"1931"; hll_key:"6549446380911603098"; inzone:"Internal"; last_hit_time:"1734597254"; layer_name:"Network"; layer_name:"Admin Traffic"; layer_uuid:"c135090e-7d3a-44bf-b686-1589d3183102"; layer_uuid:"42f39ab2-d932-4b6b-abbf-8b6bd519e15b"; match_id:"34"; match_id:"67108866"; parent_rule:"0"; parent_rule:"34"; rule_action:"Inline"; rule_action:"Accept"; rule_name:"Traffic Outbound"; rule_name:"Traffic outbound"; rule_uid:"31aca655-e044-4f8d-91bf-5de3505f443b"; rule_uid:"ee877954-c304-4159-bda3-e8f78ed4a4fa"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; service:"389"; service_id:"ldap_udp"; src:"192.168.20.10"; update_count:"4294947622"]

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json

@@ -1311,6 +1311,96 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2024-12-19T08:34:14.000Z",
+            "checkpoint": {
+                "aggregated_log_count": 4294947622,
+                "connection_count": 4294947622,
+                "logid": "288",
+                "match_id": [
+                    "34",
+                    "67108866"
+                ],
+                "origin_sic_name": "CN=cp_mgmt,O=gw-0b8ccd..zx8qy7",
+                "parent_rule": [
+                    "0",
+                    "34"
+                ],
+                "rule_action": [
+                    "Inline",
+                    "Accept"
+                ],
+                "update_count": 4294947622
+            },
+            "destination": {
+                "ip": "192.168.0.10",
+                "port": 389
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "Accept",
+                "category": [
+                    "network"
+                ],
+                "duration": 1931000000000,
+                "end": "2024-12-19T08:34:14.000Z",
+                "id": "{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}",
+                "kind": "event",
+                "original": "<134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:\"Accept\"; flags:\"16384\"; ifdir:\"inbound\"; ifname:\"eth4\"; logid:\"288\"; loguid:\"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}\"; origin:\"1.2.3.4\"; originsicname:\"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7\"; sequencenum:\"9\"; time:\"1734597254\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\\]\"; aggregated_log_count:\"4294947622\"; connection_count:\"4294947622\"; creation_time:\"1734595323\"; dst:\"192.168.0.10\"; duration:\"1931\"; hll_key:\"6549446380911603098\"; inzone:\"Internal\"; last_hit_time:\"1734597254\"; layer_name:\"Network\"; layer_name:\"Admin Traffic\"; layer_uuid:\"c135090e-7d3a-44bf-b686-1589d3183102\"; layer_uuid:\"42f39ab2-d932-4b6b-abbf-8b6bd519e15b\"; match_id:\"34\"; match_id:\"67108866\"; parent_rule:\"0\"; parent_rule:\"34\"; rule_action:\"Inline\"; rule_action:\"Accept\"; rule_name:\"Traffic Outbound\"; rule_name:\"Traffic outbound\"; rule_uid:\"31aca655-e044-4f8d-91bf-5de3505f443b\"; rule_uid:\"ee877954-c304-4159-bda3-e8f78ed4a4fa\"; outzone:\"External\"; product:\"VPN-1 & FireWall-1\"; proto:\"17\"; service:\"389\"; service_id:\"ldap_udp\"; src:\"192.168.20.10\"; update_count:\"4294947622\"]",
+                "sequence": 9,
+                "start": "2024-12-19T08:02:03.000Z",
+                "timezone": "UTC"
+            },
+            "network": {
+                "application": "ldap_udp",
+                "direction": "inbound",
+                "iana_number": "17",
+                "name": [
+                    "Network",
+                    "Admin Traffic"
+                ],
+                "transport": "udp"
+            },
+            "observer": {
+                "egress": {
+                    "zone": "External"
+                },
+                "ingress": {
+                    "interface": {
+                        "name": "eth4"
+                    },
+                    "zone": "Internal"
+                },
+                "name": "1.2.3.4",
+                "product": "VPN-1 & FireWall-1",
+                "type": "firewall",
+                "vendor": "Checkpoint"
+            },
+            "related": {
+                "ip": [
+                    "192.168.20.10",
+                    "192.168.0.10"
+                ]
+            },
+            "rule": {
+                "name": [
+                    "Traffic Outbound",
+                    "Traffic outbound"
+                ],
+                "uuid": [
+                    "31aca655-e044-4f8d-91bf-5de3505f443b",
+                    "ee877954-c304-4159-bda3-e8f78ed4a4fa"
+                ]
+            },
+            "source": {
+                "ip": "192.168.20.10"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }

packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml

@@ -1144,15 +1144,15 @@ processors:
       if: ctx.event?.duration != null
   - convert:
       field: checkpoint.update_count
-      type: integer
+      type: long
       ignore_missing: true
   - convert:
       field: checkpoint.connection_count
-      type: integer
+      type: long
       ignore_missing: true
   - convert:
       field: checkpoint.aggregated_log_count
-      type: integer
+      type: long
       ignore_missing: true
   - rename:
       field: checkpoint.message

packages/checkpoint/data_stream/firewall/fields/fields.yml

@@ -26,7 +26,7 @@
       description: |
         Source administrator name.
     - name: aggregated_log_count
-      type: integer
+      type: long
       description: |
         Number of logs aggregated in the event.
     - name: alert
@@ -219,7 +219,7 @@
       type: keyword
       description: Connection direction
     - name: connection_count
-      type: integer
+      type: long
       description: Number of connections logged in this event
     - name: connection_uid
       type: keyword
@@ -1675,7 +1675,7 @@
       description: |
         Detected virus for a specific host during the last week.
     - name: update_count
-      type: integer
+      type: long
       description: Number of times the event has been updated with new occurrences
     - name: update_status
       type: keyword

packages/checkpoint/docs/README.md

@@ -147,7 +147,7 @@ An example event for `firewall` looks as following:
 | checkpoint.additional_rdata | List of additional resource records. | keyword |
 | checkpoint.administrator | Source administrator name. | keyword |
 | checkpoint.advanced_changes |  | keyword |
-| checkpoint.aggregated_log_count | Number of logs aggregated in the event. | integer |
+| checkpoint.aggregated_log_count | Number of logs aggregated in the event. | long |
 | checkpoint.alert | Alert level of matched rule (for connection logs). | keyword |
 | checkpoint.allocated_ports | Amount of allocated ports. | integer |
 | checkpoint.analyzed_on | Check Point ThreatCloud / emulator name. | keyword |
@@ -197,7 +197,7 @@ An example event for `firewall` looks as following:
 | checkpoint.community | Community name for the IPSec key and the use of the IKEv. | keyword |
 | checkpoint.confidence_level | Confidence level determined by ThreatCloud. | integer |
 | checkpoint.conn_direction | Connection direction | keyword |
-| checkpoint.connection_count | Number of connections logged in this event | integer |
+| checkpoint.connection_count | Number of connections logged in this event | long |
 | checkpoint.connection_uid | Calculation of md5 of the IP and user name as UID. | keyword |
 | checkpoint.connectivity_level | Log for a new connection in wire mode. | keyword |
 | checkpoint.conns_amount | Connections amount of aggregated log info. | integer |
@@ -600,7 +600,7 @@ An example event for `firewall` looks as following:
 | checkpoint.unique_detected_day | Detected virus for a specific host during the last day. | integer |
 | checkpoint.unique_detected_hour | Detected virus for a specific host during the last hour. | integer |
 | checkpoint.unique_detected_week | Detected virus for a specific host during the last week. | integer |
-| checkpoint.update_count | Number of times the event has been updated with new occurrences | integer |
+| checkpoint.update_count | Number of times the event has been updated with new occurrences | long |
 | checkpoint.update_status | Status of database update | keyword |
 | checkpoint.url | Translated URL. | keyword |
 | checkpoint.user | Source user name. | keyword |

packages/checkpoint/manifest.yml

@@ -1,6 +1,6 @@
 name: checkpoint
 title: Check Point
-version: "1.41.1"
+version: "1.41.2"
 description: Collect logs from Check Point with Elastic Agent.
 type: integration
 format_version: "3.0.3"