diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index cdec9c1da0a..c9071cb5799 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.41.2" + changes: + - description: Update update_count, connection_count, aggregated_log_count types from integer to long. + type: bugfix + link: https://github.com/elastic/integrations/pull/15673 - version: "1.41.1" changes: - description: Changed owners. diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log index f1ecf27bbc0..38cd5a2cef1 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log @@ -17,3 +17,4 @@ <134>1 2023-03-02T03:28:09Z gw-0b8ccd CheckPoint 15871 - [action:"Block"; flags:"311552"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x291ee176,0x3488469e,0xdb759c74,0xc0134e9a}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677727689"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1677720751;policy_name=Standard\]"; confidence_level:"5"; dlp_incident_uid:"{640017C9-0000-0001-27C5-C5E7C1878B89}"; dst:"81.2.69.144"; frequency:"1 days "; http_host:"sc1.checkpoint.com"; lastupdatetime:"1677727691"; log_id:"4294967295"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; method:"GET"; packet_capture_name:"src-10.0.0.3.cap"; packet_capture_time:"1677727690"; packet_capture_unique_id:"time1677727689.id640acbe0.blade04"; policy:"Standard"; policy_time:"1677720775"; portal_message:"Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 498D79F3"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"10.0.0.3"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"34416"; scope:"10.0.0.3"; service:"80"; service_id:"http"; session_id:"{0x640017c9,0x1,0x27c5c5e7,0xc1878b89}"; severity:"2"; smartdefense_profile:"Optimized"; src:"10.0.0.3"; layer_name:"Standard Threat Prevention"; layer_uuid:"{6CC286F4-87BC-412A-B231-8C63C30D978E}"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"; usercheck:"1"; usercheck_confirmation_level:"Application"; usercheck_incident_uid:"C9B778BF-CA91-A050-2673-53F9498D79F3"; usercheck_interaction_name:"Anti-Bot Blocked"; web_client_type:"Firefox"] <134>1 2023-03-02T03:28:09Z gw-0b8ccd CheckPoint 15871 - [action:"Block"; flags:"311552"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x291ee176,0x3488469e,0xdb759c74,0xc0134e9a}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677727689"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1677720751;policy_name=Standard\]"; confidence_level:"5"; dlp_incident_uid:"{640017C9-0000-0001-27C5-C5E7C1878B89}"; dst:"81.2.69.144"; frequency:"1 days "; http_host:"sc1.checkpoint.com"; lastupdatetime:"1677727750"; log_id:"2"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; method:"GET"; packet_capture_name:"src-10.0.0.3.cap"; packet_capture_time:"1677727690"; packet_capture_unique_id:"time1677727689.id640acbe0.blade04"; policy:"Standard"; policy_time:"1677720775"; portal_message:"Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 498D79F3"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"10.0.0.3"; received_bytes:"60"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"34416"; scope:"10.0.0.3"; sent_bytes:"0"; service:"80"; service_id:"http"; session_id:"{0x640017c9,0x1,0x27c5c5e7,0xc1878b89}"; severity:"2"; smartdefense_profile:"Optimized"; src:"10.0.0.3"; suppressed_logs:"1"; layer_name:"Standard Threat Prevention"; layer_uuid:"{6CC286F4-87BC-412A-B231-8C63C30D978E}"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"; usercheck:"1"; usercheck_confirmation_level:"Application"; usercheck_incident_uid:"C9B778BF-CA91-A050-2673-53F9498D79F3"; usercheck_interaction_name:"Anti-Bot Blocked"; web_client_type:"Firefox"] <134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:"Accept"; flags:"16384"; ifdir:"inbound"; ifname:"eth4"; logid:"288"; loguid:"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}"; origin:"1.2.3.4"; originsicname:"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7"; sequencenum:"9"; time:"1734597254"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\]"; aggregated_log_count:"2"; connection_count:"2"; creation_time:"1734595323"; dst:"192.168.0.10"; duration:"1931"; hll_key:"6549446380911603098"; inzone:"Internal"; last_hit_time:"1734597254"; layer_name:"Network"; layer_name:"Admin Traffic"; layer_uuid:"c135090e-7d3a-44bf-b686-1589d3183102"; layer_uuid:"42f39ab2-d932-4b6b-abbf-8b6bd519e15b"; match_id:"34"; match_id:"67108866"; parent_rule:"0"; parent_rule:"34"; rule_action:"Inline"; rule_action:"Accept"; rule_name:"Traffic Outbound"; rule_name:"Traffic outbound"; rule_uid:"31aca655-e044-4f8d-91bf-5de3505f443b"; rule_uid:"ee877954-c304-4159-bda3-e8f78ed4a4fa"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; service:"389"; service_id:"ldap_udp"; src:"192.168.20.10"; update_count:"2"] +<134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:"Accept"; flags:"16384"; ifdir:"inbound"; ifname:"eth4"; logid:"288"; loguid:"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}"; origin:"1.2.3.4"; originsicname:"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7"; sequencenum:"9"; time:"1734597254"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\]"; aggregated_log_count:"4294947622"; connection_count:"4294947622"; creation_time:"1734595323"; dst:"192.168.0.10"; duration:"1931"; hll_key:"6549446380911603098"; inzone:"Internal"; last_hit_time:"1734597254"; layer_name:"Network"; layer_name:"Admin Traffic"; layer_uuid:"c135090e-7d3a-44bf-b686-1589d3183102"; layer_uuid:"42f39ab2-d932-4b6b-abbf-8b6bd519e15b"; match_id:"34"; match_id:"67108866"; parent_rule:"0"; parent_rule:"34"; rule_action:"Inline"; rule_action:"Accept"; rule_name:"Traffic Outbound"; rule_name:"Traffic outbound"; rule_uid:"31aca655-e044-4f8d-91bf-5de3505f443b"; rule_uid:"ee877954-c304-4159-bda3-e8f78ed4a4fa"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; service:"389"; service_id:"ldap_udp"; src:"192.168.20.10"; update_count:"4294947622"] \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json index 22a489e228c..7cbfdcbc149 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json @@ -1311,6 +1311,96 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-12-19T08:34:14.000Z", + "checkpoint": { + "aggregated_log_count": 4294947622, + "connection_count": 4294947622, + "logid": "288", + "match_id": [ + "34", + "67108866" + ], + "origin_sic_name": "CN=cp_mgmt,O=gw-0b8ccd..zx8qy7", + "parent_rule": [ + "0", + "34" + ], + "rule_action": [ + "Inline", + "Accept" + ], + "update_count": 4294947622 + }, + "destination": { + "ip": "192.168.0.10", + "port": 389 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "Accept", + "category": [ + "network" + ], + "duration": 1931000000000, + "end": "2024-12-19T08:34:14.000Z", + "id": "{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}", + "kind": "event", + "original": "<134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:\"Accept\"; flags:\"16384\"; ifdir:\"inbound\"; ifname:\"eth4\"; logid:\"288\"; loguid:\"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}\"; origin:\"1.2.3.4\"; originsicname:\"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7\"; sequencenum:\"9\"; time:\"1734597254\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\\]\"; aggregated_log_count:\"4294947622\"; connection_count:\"4294947622\"; creation_time:\"1734595323\"; dst:\"192.168.0.10\"; duration:\"1931\"; hll_key:\"6549446380911603098\"; inzone:\"Internal\"; last_hit_time:\"1734597254\"; layer_name:\"Network\"; layer_name:\"Admin Traffic\"; layer_uuid:\"c135090e-7d3a-44bf-b686-1589d3183102\"; layer_uuid:\"42f39ab2-d932-4b6b-abbf-8b6bd519e15b\"; match_id:\"34\"; match_id:\"67108866\"; parent_rule:\"0\"; parent_rule:\"34\"; rule_action:\"Inline\"; rule_action:\"Accept\"; rule_name:\"Traffic Outbound\"; rule_name:\"Traffic outbound\"; rule_uid:\"31aca655-e044-4f8d-91bf-5de3505f443b\"; rule_uid:\"ee877954-c304-4159-bda3-e8f78ed4a4fa\"; outzone:\"External\"; product:\"VPN-1 & FireWall-1\"; proto:\"17\"; service:\"389\"; service_id:\"ldap_udp\"; src:\"192.168.20.10\"; update_count:\"4294947622\"]", + "sequence": 9, + "start": "2024-12-19T08:02:03.000Z", + "timezone": "UTC" + }, + "network": { + "application": "ldap_udp", + "direction": "inbound", + "iana_number": "17", + "name": [ + "Network", + "Admin Traffic" + ], + "transport": "udp" + }, + "observer": { + "egress": { + "zone": "External" + }, + "ingress": { + "interface": { + "name": "eth4" + }, + "zone": "Internal" + }, + "name": "1.2.3.4", + "product": "VPN-1 & FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "192.168.20.10", + "192.168.0.10" + ] + }, + "rule": { + "name": [ + "Traffic Outbound", + "Traffic outbound" + ], + "uuid": [ + "31aca655-e044-4f8d-91bf-5de3505f443b", + "ee877954-c304-4159-bda3-e8f78ed4a4fa" + ] + }, + "source": { + "ip": "192.168.20.10" + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index b3cd2061063..ebe3a4d4028 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -1144,15 +1144,15 @@ processors: if: ctx.event?.duration != null - convert: field: checkpoint.update_count - type: integer + type: long ignore_missing: true - convert: field: checkpoint.connection_count - type: integer + type: long ignore_missing: true - convert: field: checkpoint.aggregated_log_count - type: integer + type: long ignore_missing: true - rename: field: checkpoint.message diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index 578abb1f420..3bfd6b6f0e8 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -26,7 +26,7 @@ description: | Source administrator name. - name: aggregated_log_count - type: integer + type: long description: | Number of logs aggregated in the event. - name: alert @@ -219,7 +219,7 @@ type: keyword description: Connection direction - name: connection_count - type: integer + type: long description: Number of connections logged in this event - name: connection_uid type: keyword @@ -1675,7 +1675,7 @@ description: | Detected virus for a specific host during the last week. - name: update_count - type: integer + type: long description: Number of times the event has been updated with new occurrences - name: update_status type: keyword diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 2a087e3be72..63ecfb64c07 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -147,7 +147,7 @@ An example event for `firewall` looks as following: | checkpoint.additional_rdata | List of additional resource records. | keyword | | checkpoint.administrator | Source administrator name. | keyword | | checkpoint.advanced_changes | | keyword | -| checkpoint.aggregated_log_count | Number of logs aggregated in the event. | integer | +| checkpoint.aggregated_log_count | Number of logs aggregated in the event. | long | | checkpoint.alert | Alert level of matched rule (for connection logs). | keyword | | checkpoint.allocated_ports | Amount of allocated ports. | integer | | checkpoint.analyzed_on | Check Point ThreatCloud / emulator name. | keyword | @@ -197,7 +197,7 @@ An example event for `firewall` looks as following: | checkpoint.community | Community name for the IPSec key and the use of the IKEv. | keyword | | checkpoint.confidence_level | Confidence level determined by ThreatCloud. | integer | | checkpoint.conn_direction | Connection direction | keyword | -| checkpoint.connection_count | Number of connections logged in this event | integer | +| checkpoint.connection_count | Number of connections logged in this event | long | | checkpoint.connection_uid | Calculation of md5 of the IP and user name as UID. | keyword | | checkpoint.connectivity_level | Log for a new connection in wire mode. | keyword | | checkpoint.conns_amount | Connections amount of aggregated log info. | integer | @@ -600,7 +600,7 @@ An example event for `firewall` looks as following: | checkpoint.unique_detected_day | Detected virus for a specific host during the last day. | integer | | checkpoint.unique_detected_hour | Detected virus for a specific host during the last hour. | integer | | checkpoint.unique_detected_week | Detected virus for a specific host during the last week. | integer | -| checkpoint.update_count | Number of times the event has been updated with new occurrences | integer | +| checkpoint.update_count | Number of times the event has been updated with new occurrences | long | | checkpoint.update_status | Status of database update | keyword | | checkpoint.url | Translated URL. | keyword | | checkpoint.user | Source user name. | keyword | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 4e3a8796613..69746cc65e1 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: "1.41.1" +version: "1.41.2" description: Collect logs from Check Point with Elastic Agent. type: integration format_version: "3.0.3"