forked from elastic/integrations
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Checkpoint] Fix multiple field conflicts (elastic#2895)
Fix field mapping conflicts for checkpoint.icmp_type, checkpoint.icmp_code & checkpoint.email_recipients_num.
- Loading branch information
1 parent
5ea4749
commit 3793f0a
Showing
8 changed files
with
826 additions
and
849 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
176 changes: 87 additions & 89 deletions
176
...point/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,151 +1,149 @@ | ||
| { | ||
| "expected": [ | ||
| { | ||
| "@timestamp": "2020-07-13T13:29:14.000Z", | ||
| "checkpoint": { | ||
| "logid": "0", | ||
| "match_id": "1", | ||
| "parent_rule": "0", | ||
| "rule_action": "Accept", | ||
| "match_id": "1" | ||
| "rule_action": "Accept" | ||
| }, | ||
| "destination": { | ||
| "port": 514, | ||
| "ip": "192.168.1.153" | ||
| "ip": "192.168.1.153", | ||
| "port": 514 | ||
| }, | ||
| "rule": { | ||
| "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" | ||
| "ecs": { | ||
| "version": "8.0.0" | ||
| }, | ||
| "source": { | ||
| "port": 43103, | ||
| "ip": "192.168.1.100" | ||
| "event": { | ||
| "action": "Accept", | ||
| "category": [ | ||
| "network" | ||
| ], | ||
| "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", | ||
| "kind": "event", | ||
| "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1594646954\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", | ||
| "outcome": "success", | ||
| "sequence": 1, | ||
| "type": [ | ||
| "allowed", | ||
| "connection" | ||
| ] | ||
| }, | ||
| "tags": [ | ||
| "preserve_original_event" | ||
| ], | ||
| "network": { | ||
| "name": "Network", | ||
| "transport": "udp", | ||
| "application": "syslog", | ||
| "direction": "outbound", | ||
| "iana_number": "17", | ||
| "direction": "outbound" | ||
| "name": "Network", | ||
| "transport": "udp" | ||
| }, | ||
| "observer": { | ||
| "name": "192.168.1.100", | ||
| "ingress": { | ||
| "zone": "Local" | ||
| }, | ||
| "product": "VPN-1 \u0026 FireWall-1", | ||
| "type": "firewall", | ||
| "vendor": "Checkpoint", | ||
| "egress": { | ||
| "interface": { | ||
| "name": "eth0" | ||
| }, | ||
| "zone": "External" | ||
| } | ||
| }, | ||
| "@timestamp": "2020-07-13T13:29:14.000Z", | ||
| "ecs": { | ||
| "version": "8.0.0" | ||
| }, | ||
| "ingress": { | ||
| "zone": "Local" | ||
| }, | ||
| "name": "192.168.1.100", | ||
| "product": "VPN-1 \u0026 FireWall-1", | ||
| "type": "firewall", | ||
| "vendor": "Checkpoint" | ||
| }, | ||
| "related": { | ||
| "ip": [ | ||
| "192.168.1.100", | ||
| "192.168.1.153" | ||
| ] | ||
| }, | ||
| "event": { | ||
| "sequence": 1, | ||
| "ingested": "2022-02-10T04:24:27.976802705Z", | ||
| "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1594646954\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", | ||
| "kind": "event", | ||
| "action": "Accept", | ||
| "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", | ||
| "category": [ | ||
| "network" | ||
| ], | ||
| "type": [ | ||
| "allowed", | ||
| "connection" | ||
| ], | ||
| "outcome": "success" | ||
| } | ||
| "rule": { | ||
| "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" | ||
| }, | ||
| "source": { | ||
| "ip": "192.168.1.100", | ||
| "port": 43103 | ||
| }, | ||
| "tags": [ | ||
| "preserve_original_event" | ||
| ] | ||
| }, | ||
| { | ||
| "@timestamp": "2021-05-05T12:27:09.000Z", | ||
| "checkpoint": { | ||
| "action_reason_msg": "Dropped by multiportal infrastructure" | ||
| }, | ||
| "destination": { | ||
| "geo": { | ||
| "city_name": "London", | ||
| "continent_name": "Europe", | ||
| "country_iso_code": "GB", | ||
| "country_name": "United Kingdom", | ||
| "location": { | ||
| "lat": 51.5142, | ||
| "lon": -0.0931 | ||
| }, | ||
| "region_iso_code": "GB-ENG", | ||
| "region_name": "England" | ||
| }, | ||
| "ip": "81.2.69.144", | ||
| "port": 80 | ||
| }, | ||
| "ecs": { | ||
| "version": "8.0.0" | ||
| }, | ||
| "event": { | ||
| "action": "Drop", | ||
| "category": [ | ||
| "network" | ||
| ], | ||
| "id": "{0x60928f1d,0x8,0x40de101f,0xfcdbb197}", | ||
| "kind": "event", | ||
| "original": "\u003c134\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"81.2.69.144\"; product:\"VPN \u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"81.2.69.144\"]", | ||
| "sequence": 62 | ||
| }, | ||
| "network": { | ||
| "direction": "inbound", | ||
| "iana_number": "6", | ||
| "transport": "tcp" | ||
| }, | ||
| "observer": { | ||
| "name": "127.0.0.1", | ||
| "ingress": { | ||
| "interface": { | ||
| "name": "bond1.3999" | ||
| } | ||
| }, | ||
| "name": "127.0.0.1", | ||
| "product": "VPN \u0026 FireWall", | ||
| "type": "firewall", | ||
| "vendor": "Checkpoint" | ||
| }, | ||
| "@timestamp": "2021-05-05T12:27:09.000Z", | ||
| "ecs": { | ||
| "version": "8.0.0" | ||
| }, | ||
| "related": { | ||
| "ip": [ | ||
| "81.2.69.144", | ||
| "81.2.69.144" | ||
| ] | ||
| }, | ||
| "destination": { | ||
| "geo": { | ||
| "continent_name": "Europe", | ||
| "region_iso_code": "GB-ENG", | ||
| "city_name": "London", | ||
| "country_iso_code": "GB", | ||
| "country_name": "United Kingdom", | ||
| "region_name": "England", | ||
| "location": { | ||
| "lon": -0.0931, | ||
| "lat": 51.5142 | ||
| } | ||
| }, | ||
| "port": 80, | ||
| "ip": "81.2.69.144" | ||
| }, | ||
| "source": { | ||
| "geo": { | ||
| "continent_name": "Europe", | ||
| "region_iso_code": "GB-ENG", | ||
| "city_name": "London", | ||
| "continent_name": "Europe", | ||
| "country_iso_code": "GB", | ||
| "country_name": "United Kingdom", | ||
| "region_name": "England", | ||
| "location": { | ||
| "lon": -0.0931, | ||
| "lat": 51.5142 | ||
| } | ||
| "lat": 51.5142, | ||
| "lon": -0.0931 | ||
| }, | ||
| "region_iso_code": "GB-ENG", | ||
| "region_name": "England" | ||
| }, | ||
| "port": 52780, | ||
| "ip": "81.2.69.144" | ||
| }, | ||
| "event": { | ||
| "sequence": 62, | ||
| "ingested": "2022-02-10T04:24:27.976807351Z", | ||
| "original": "\u003c134\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"81.2.69.144\"; product:\"VPN \u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"81.2.69.144\"]", | ||
| "kind": "event", | ||
| "action": "Drop", | ||
| "id": "{0x60928f1d,0x8,0x40de101f,0xfcdbb197}", | ||
| "category": [ | ||
| "network" | ||
| ] | ||
| "ip": "81.2.69.144", | ||
| "port": 52780 | ||
| }, | ||
| "tags": [ | ||
| "preserve_original_event" | ||
| ], | ||
| "network": { | ||
| "iana_number": "6", | ||
| "transport": "tcp", | ||
| "direction": "inbound" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |
Oops, something went wrong.