diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 1c2fe692e93..dedb24facf4 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.2" + changes: + - description: Fix field mapping conflicts for `checkpoint.icmp_type`, `checkpoint.icmp_code` & `checkpoint.email_recipients_num` + type: bugfix + link: https://github.com/elastic/integrations/pull/2895 - version: "1.3.1" changes: - description: Add Ingest Pipeline script to map IANA Protocol Numbers diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json index baae87f7ec3..f2178ed700e 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json @@ -1,51 +1,56 @@ { "expected": [ { + "@timestamp": "2020-07-13T13:29:14.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 514, - "ip": "192.168.1.153" + "ip": "192.168.1.153", + "port": 514 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 43103, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1594646954\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "syslog", + "direction": "outbound", "iana_number": "17", - "direction": "outbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "External" - } - }, - "@timestamp": "2020-07-13T13:29:14.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -53,99 +58,92 @@ "192.168.1.153" ] }, - "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:27.976802705Z", - "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1594646954\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "port": 43103 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-05-05T12:27:09.000Z", "checkpoint": { "action_reason_msg": "Dropped by multiportal infrastructure" }, + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Drop", + "category": [ + "network" + ], + "id": "{0x60928f1d,0x8,0x40de101f,0xfcdbb197}", + "kind": "event", + "original": "\u003c134\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"81.2.69.144\"; product:\"VPN \u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"81.2.69.144\"]", + "sequence": 62 + }, + "network": { + "direction": "inbound", + "iana_number": "6", + "transport": "tcp" + }, "observer": { - "name": "127.0.0.1", "ingress": { "interface": { "name": "bond1.3999" } }, + "name": "127.0.0.1", "product": "VPN \u0026 FireWall", "type": "firewall", "vendor": "Checkpoint" }, - "@timestamp": "2021-05-05T12:27:09.000Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "81.2.69.144", "81.2.69.144" ] }, - "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, - "port": 80, - "ip": "81.2.69.144" - }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "port": 52780, - "ip": "81.2.69.144" - }, - "event": { - "sequence": 62, - "ingested": "2022-02-10T04:24:27.976807351Z", - "original": "\u003c134\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"81.2.69.144\"; product:\"VPN \u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"81.2.69.144\"]", - "kind": "event", - "action": "Drop", - "id": "{0x60928f1d,0x8,0x40de101f,0xfcdbb197}", - "category": [ - "network" - ] + "ip": "81.2.69.144", + "port": 52780 }, "tags": [ "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "inbound" - } + ] } ] } \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json index 9575366c2de..97fd649b6a5 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -1,123 +1,126 @@ { "expected": [ { + "@timestamp": "2020-03-29T13:19:20.000Z", "checkpoint": { "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"1\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk\"]", + "sequence": 1 + }, + "network": { + "direction": "inbound" + }, "observer": { - "name": "192.168.1.100", "ingress": { "interface": { "name": "daemon" } }, + "name": "192.168.1.100", "product": "System Monitor", "type": "firewall", "vendor": "Checkpoint" }, - "@timestamp": "2020-03-29T13:19:20.000Z", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-03-29T13:19:21.000Z", + "checkpoint": { + "sys_message": "installed Standard" + }, "ecs": { "version": "8.0.0" }, "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996402733Z", - "original": "\u003c134\u003e1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"1\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk\"]", - "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", "category": [ "network" ], - "kind": "event" + "id": "{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"2\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"installed Standard\"]", + "sequence": 2 }, - "tags": [ - "preserve_original_event" - ], "network": { "direction": "inbound" - } - }, - { - "checkpoint": { - "sys_message": "installed Standard" }, "observer": { - "name": "192.168.1.100", "ingress": { "interface": { "name": "daemon" } }, + "name": "192.168.1.100", "product": "System Monitor", "type": "firewall", "vendor": "Checkpoint" }, - "@timestamp": "2020-03-29T13:19:21.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "sequence": 2, - "ingested": "2022-02-10T04:24:28.996407352Z", - "original": "\u003c134\u003e1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"2\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"installed Standard\"]", - "id": "{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}", - "category": [ - "network" - ], - "kind": "event" - }, "tags": [ "preserve_original_event" - ], - "network": { - "direction": "inbound" - } + ] }, { + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 53, - "ip": "192.168.1.1" + "ip": "192.168.1.1", + "port": 53 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 46915, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"46915\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "domain-udp", + "direction": "outbound", "iana_number": "17", - "direction": "outbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "Internal" - } - }, - "@timestamp": "2020-03-29T13:19:22.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -125,86 +128,82 @@ "192.168.1.1" ] }, - "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996409340Z", - "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"46915\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "port": 46915 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint": { - "nat_addtnl_rulenum": "0", "logid": "0", - "parent_rule": "0", - "rule_action": "Accept", + "match_id": "1", + "nat_addtnl_rulenum": "0", "nat_rulenum": "0", - "match_id": "1" + "parent_rule": "0", + "rule_action": "Accept" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "port": 443, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 443 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "port": 26680 - }, - "port": 61794, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61794\"; service:\"443\"; service_id:\"https\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"26680\"; xlatesrc:\"0.0.0.0\"]", + "outcome": "success", + "sequence": 2, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "tcp", "application": "https", + "direction": "outbound", "iana_number": "6", - "direction": "outbound" + "name": "Network", + "transport": "tcp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "Internal" - } - }, - "@timestamp": "2020-03-29T13:19:22.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -212,69 +211,71 @@ "81.2.69.144" ] }, - "event": { - "sequence": 2, - "ingested": "2022-02-10T04:24:28.996411105Z", - "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61794\"; service:\"443\"; service_id:\"https\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"26680\"; xlatesrc:\"0.0.0.0\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "nat": { + "port": 26680 + }, + "port": 61794 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 53, - "ip": "192.168.1.1" + "ip": "192.168.1.1", + "port": 53 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 36749, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"36749\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", + "outcome": "success", + "sequence": 3, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "domain-udp", + "direction": "outbound", "iana_number": "17", - "direction": "outbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "Internal" - } - }, - "@timestamp": "2020-03-29T13:19:22.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -282,119 +283,114 @@ "192.168.1.1" ] }, - "event": { - "sequence": 3, - "ingested": "2022-02-10T04:24:28.996412860Z", - "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"36749\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "port": 36749 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-29T23:18:44.000Z", "checkpoint": { - "description": "Contracts", "comment": "No update was found", + "description": "Contracts", "status": "Finished" }, - "observer": { - "name": "192.168.1.100", - "product": "Security Gateway/Management", - "type": "firewall", - "vendor": "Checkpoint" - }, - "@timestamp": "2020-03-29T23:18:44.000Z", "ecs": { "version": "8.0.0" }, "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996414586Z", - "original": "\u003c134\u003e1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", - "id": "{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}", "category": [ "network" ], - "kind": "event" + "id": "{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", + "sequence": 1 }, - "tags": [ - "preserve_original_event" - ], "network": { "direction": "inbound" - } + }, + "observer": { + "name": "192.168.1.100", + "product": "Security Gateway/Management", + "type": "firewall", + "vendor": "Checkpoint" + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-29T23:18:43.000Z", "checkpoint": { - "nat_addtnl_rulenum": "0", "logid": "0", - "parent_rule": "0", - "rule_action": "Accept", + "match_id": "1", + "nat_addtnl_rulenum": "0", "nat_rulenum": "0", - "match_id": "1" + "parent_rule": "0", + "rule_action": "Accept" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "port": 80, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 80 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "port": 10860 - }, - "port": 61180, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"8\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61180\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"10860\"; xlatesrc:\"0.0.0.0\"]", + "outcome": "success", + "sequence": 8, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "tcp", "application": "http", + "direction": "outbound", "iana_number": "6", - "direction": "outbound" + "name": "Network", + "transport": "tcp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "External" - } - }, - "@timestamp": "2020-03-29T23:18:43.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -402,198 +398,195 @@ "81.2.69.144" ] }, - "event": { - "sequence": 8, - "ingested": "2022-02-10T04:24:28.996416349Z", - "original": "\u003c134\u003e1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"8\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61180\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"10860\"; xlatesrc:\"0.0.0.0\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "nat": { + "port": 10860 + }, + "port": 61180 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-29T23:18:53.000Z", "checkpoint": { + "conn_direction": "Outgoing", "log_delay": "1585523933", "logid": "0", - "conn_direction": "Outgoing", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "port": 53, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 53 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 55039, - "ip": "192.168.2.2" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; conn_direction:\"Outgoing\"; flags:\"6703366\"; ifdir:\"inbound\"; ifname:\"eth1\"; logid:\"0\"; loguid:\"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; log_delay:\"1585523933\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"55039\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.2.2\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "domain-udp", + "direction": "inbound", "iana_number": "17", - "direction": "inbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", "ingress": { "interface": { "name": "eth1" } }, + "name": "192.168.1.100", "product": "VPN-1 \u0026 FireWall-1", "type": "firewall", "vendor": "Checkpoint" }, - "@timestamp": "2020-03-29T23:18:53.000Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "192.168.2.2", "81.2.69.144" ] }, - "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996418089Z", - "original": "\u003c134\u003e1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; conn_direction:\"Outgoing\"; flags:\"6703366\"; ifdir:\"inbound\"; ifname:\"eth1\"; logid:\"0\"; loguid:\"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; log_delay:\"1585523933\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"55039\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.2.2\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.2.2", + "port": 55039 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T01:18:44.000Z", "checkpoint": { "description": "Contracts", "status": "Started" }, - "observer": { - "name": "192.168.1.100", - "product": "Security Gateway/Management", - "type": "firewall", - "vendor": "Checkpoint" - }, - "@timestamp": "2020-03-30T01:18:44.000Z", "ecs": { "version": "8.0.0" }, "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996419800Z", - "original": "\u003c134\u003e1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Started\"; update_service:\"1\"; version:\"1.0\"]", - "id": "{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}", "category": [ "network" ], - "kind": "event" + "id": "{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Started\"; update_service:\"1\"; version:\"1.0\"]", + "sequence": 1 }, - "tags": [ - "preserve_original_event" - ], "network": { "direction": "inbound" - } + }, + "observer": { + "name": "192.168.1.100", + "product": "Security Gateway/Management", + "type": "firewall", + "vendor": "Checkpoint" + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T01:18:46.000Z", "checkpoint": { - "nat_addtnl_rulenum": "0", "logid": "0", - "parent_rule": "0", - "rule_action": "Accept", + "match_id": "1", + "nat_addtnl_rulenum": "0", "nat_rulenum": "0", - "match_id": "1" + "parent_rule": "0", + "rule_action": "Accept" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "port": 80, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 80 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "nat": { - "port": 11157 - }, - "port": 51894, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"51894\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"11157\"; xlatesrc:\"0.0.0.0\"]", + "outcome": "success", + "sequence": 2, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "tcp", "application": "http", + "direction": "outbound", "iana_number": "6", - "direction": "outbound" + "name": "Network", + "transport": "tcp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "External" - } - }, - "@timestamp": "2020-03-30T01:18:46.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -601,69 +594,71 @@ "81.2.69.144" ] }, - "event": { - "sequence": 2, - "ingested": "2022-02-10T04:24:28.996421506Z", - "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"51894\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"11157\"; xlatesrc:\"0.0.0.0\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "nat": { + "port": 11157 + }, + "port": 51894 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T01:18:46.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 53, - "ip": "192.168.1.1" + "ip": "192.168.1.1", + "port": 53 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 47919, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"47919\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", + "outcome": "success", + "sequence": 3, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "domain-udp", + "direction": "outbound", "iana_number": "17", - "direction": "outbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "External" - } - }, - "@timestamp": "2020-03-30T01:18:46.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -671,102 +666,100 @@ "192.168.1.1" ] }, - "event": { - "sequence": 3, - "ingested": "2022-02-10T04:24:28.996423229Z", - "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"47919\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "port": 47919 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T01:18:46.000Z", "checkpoint": { - "description": "Contracts", "comment": "No update was found", + "description": "Contracts", "status": "Finished" }, - "observer": { - "name": "192.168.1.100", - "product": "Security Gateway/Management", - "type": "firewall", - "vendor": "Checkpoint" - }, - "@timestamp": "2020-03-30T01:18:46.000Z", "ecs": { "version": "8.0.0" }, "event": { - "sequence": 5, - "ingested": "2022-02-10T04:24:28.996425036Z", - "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"5\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", - "id": "{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}", "category": [ "network" ], - "kind": "event" + "id": "{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"5\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", + "sequence": 5 }, - "tags": [ - "preserve_original_event" - ], "network": { "direction": "inbound" - } + }, + "observer": { + "name": "192.168.1.100", + "product": "Security Gateway/Management", + "type": "firewall", + "vendor": "Checkpoint" + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T06:12:45.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 514, - "ip": "192.168.1.153" + "ip": "192.168.1.153", + "port": 514 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 43103, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"13\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", + "outcome": "success", + "sequence": 13, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "syslog", + "direction": "outbound", "iana_number": "17", - "direction": "outbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "External" - } - }, - "@timestamp": "2020-03-30T06:12:45.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -774,137 +767,134 @@ "192.168.1.153" ] }, - "event": { - "sequence": 13, - "ingested": "2022-02-10T04:24:28.996426740Z", - "original": "\u003c134\u003e1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"13\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "port": 43103 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T06:12:51.000Z", "checkpoint": { "db_ver": "20033003", "description": "Gateway was updated with database version: 22032001.", "update_status": "updated" }, - "observer": { - "name": "192.168.1.100", - "product": "Application Control", - "type": "firewall", - "vendor": "Checkpoint" - }, - "@timestamp": "2020-03-30T06:12:51.000Z", "ecs": { "version": "8.0.0" }, "event": { - "severity": 1, - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996428521Z", - "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"Application Control\"; severity:\"1\"; update_status:\"updated\"]", - "kind": "event", - "id": "{0x5e818de4,0x0,0x6401a8c0,0x108620ab}", "category": [ "network" - ] + ], + "id": "{0x5e818de4,0x0,0x6401a8c0,0x108620ab}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"Application Control\"; severity:\"1\"; update_status:\"updated\"]", + "sequence": 1, + "severity": 1 }, - "tags": [ - "preserve_original_event" - ], "network": { "direction": "outbound" - } - }, - { - "checkpoint": { - "db_ver": "20033003", - "description": "Gateway was updated with database version: 22032001.", - "update_status": "updated" }, "observer": { "name": "192.168.1.100", - "product": "URL Filtering", + "product": "Application Control", "type": "firewall", "vendor": "Checkpoint" }, + "tags": [ + "preserve_original_event" + ] + }, + { "@timestamp": "2020-03-30T06:12:51.000Z", + "checkpoint": { + "db_ver": "20033003", + "description": "Gateway was updated with database version: 22032001.", + "update_status": "updated" + }, "ecs": { "version": "8.0.0" }, "event": { - "severity": 1, - "sequence": 2, - "ingested": "2022-02-10T04:24:28.996430249Z", - "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"URL Filtering\"; severity:\"1\"; update_status:\"updated\"]", - "kind": "event", - "id": "{0x5e818de4,0x1,0x6401a8c0,0x108620ab}", "category": [ "network" - ] + ], + "id": "{0x5e818de4,0x1,0x6401a8c0,0x108620ab}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"URL Filtering\"; severity:\"1\"; update_status:\"updated\"]", + "sequence": 2, + "severity": 1 }, - "tags": [ - "preserve_original_event" - ], "network": { "direction": "outbound" - } + }, + "observer": { + "name": "192.168.1.100", + "product": "URL Filtering", + "type": "firewall", + "vendor": "Checkpoint" + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T06:13:21.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 138, - "ip": "192.168.1.255" + "ip": "192.168.1.255", + "port": 138 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 138, - "ip": "192.168.1.1" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e818e01,0x0,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"138\"; service:\"138\"; service_id:\"nbdatagram\"; src:\"192.168.1.1\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "nbdatagram", + "direction": "inbound", "iana_number": "17", - "direction": "inbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", + "egress": { + "zone": "Local" + }, "ingress": { "interface": { "name": "eth0" }, "zone": "External" }, + "name": "192.168.1.100", "product": "VPN-1 \u0026 FireWall-1", "type": "firewall", - "vendor": "Checkpoint", - "egress": { - "zone": "Local" - } - }, - "@timestamp": "2020-03-30T06:13:21.000Z", - "ecs": { - "version": "8.0.0" + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -912,136 +902,134 @@ "192.168.1.255" ] }, - "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996432022Z", - "original": "\u003c134\u003e1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"138\"; service:\"138\"; service_id:\"nbdatagram\"; src:\"192.168.1.1\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e818e01,0x0,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.1", + "port": 138 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T06:13:42.000Z", "checkpoint": { - "tcp_packet_out_of_state": "First packet isn't SYN", + "logid": "1", "tcp_flags": "FIN-ACK", - "logid": "1" - }, - "observer": { - "name": "192.168.1.100", - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", - "egress": { - "interface": { - "name": "eth0" - } - } - }, - "@timestamp": "2020-03-30T06:13:42.000Z", - "ecs": { - "version": "8.0.0" - }, - "related": { - "ip": [ - "192.168.1.100", - "81.2.69.144" - ] + "tcp_packet_out_of_state": "First packet isn't SYN" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "port": 80, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 80 }, - "source": { - "port": 65488, - "ip": "192.168.1.100" + "ecs": { + "version": "8.0.0" }, "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996433788Z", - "original": "\u003c134\u003e1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:\"Drop\"; flags:\"425984\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"1\"; loguid:\"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"65488\"; service:\"80\"; src:\"192.168.1.100\"; tcp_flags:\"FIN-ACK\"; tcp_packet_out_of_state:\"First packet isn't SYN\"]", - "kind": "event", "action": "Drop", - "id": "{0x5e818e17,0x0,0x6401a8c0,0x108620ab}", "category": [ "network" + ], + "id": "{0x5e818e17,0x0,0x6401a8c0,0x108620ab}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:\"Drop\"; flags:\"425984\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"1\"; loguid:\"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"65488\"; service:\"80\"; src:\"192.168.1.100\"; tcp_flags:\"FIN-ACK\"; tcp_packet_out_of_state:\"First packet isn't SYN\"]", + "sequence": 1 + }, + "network": { + "direction": "outbound", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "eth0" + } + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "192.168.1.100", + "81.2.69.144" ] }, + "source": { + "ip": "192.168.1.100", + "port": 65488 + }, "tags": [ "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" - } + ] }, { + "@timestamp": "2020-03-30T07:18:59.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 514, - "ip": "192.168.1.153" + "ip": "192.168.1.153", + "port": 514 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 43103, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e819d63,0x0,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "syslog", + "direction": "outbound", "iana_number": "17", - "direction": "outbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "External" - } - }, - "@timestamp": "2020-03-30T07:18:59.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -1049,69 +1037,68 @@ "192.168.1.153" ] }, - "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996435512Z", - "original": "\u003c134\u003e1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e819d63,0x0,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "port": 43103 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T07:19:22.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 137, - "ip": "192.168.1.255" + "ip": "192.168.1.255", + "port": 137 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 50024, - "ip": "192.168.1.196" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"50024\"; service:\"137\"; service_id:\"nbname\"; src:\"192.168.1.196\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "nbname", + "direction": "inbound", "iana_number": "17", - "direction": "inbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", + "egress": { + "zone": "Local" + }, "ingress": { "interface": { "name": "eth0" }, "zone": "External" }, + "name": "192.168.1.100", "product": "VPN-1 \u0026 FireWall-1", "type": "firewall", - "vendor": "Checkpoint", - "egress": { - "zone": "Local" - } - }, - "@timestamp": "2020-03-30T07:19:22.000Z", - "ecs": { - "version": "8.0.0" + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -1119,69 +1106,68 @@ "192.168.1.255" ] }, - "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996437195Z", - "original": "\u003c134\u003e1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"50024\"; service:\"137\"; service_id:\"nbname\"; src:\"192.168.1.196\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.196", + "port": 50024 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T07:20:33.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 22, - "ip": "192.168.1.100" + "ip": "192.168.1.100", + "port": 22 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 60226, - "ip": "192.168.1.205" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.100\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"60226\"; service:\"22\"; service_id:\"ssh\"; src:\"192.168.1.205\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "tcp", "application": "ssh", + "direction": "inbound", "iana_number": "6", - "direction": "inbound" + "name": "Network", + "transport": "tcp" }, "observer": { - "name": "192.168.1.100", + "egress": { + "zone": "Local" + }, "ingress": { "interface": { "name": "eth0" }, "zone": "External" }, + "name": "192.168.1.100", "product": "VPN-1 \u0026 FireWall-1", "type": "firewall", - "vendor": "Checkpoint", - "egress": { - "zone": "Local" - } - }, - "@timestamp": "2020-03-30T07:20:33.000Z", - "ecs": { - "version": "8.0.0" + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -1189,69 +1175,68 @@ "192.168.1.100" ] }, - "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996438884Z", - "original": "\u003c134\u003e1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.100\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"60226\"; service:\"22\"; service_id:\"ssh\"; src:\"192.168.1.205\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.205", + "port": 60226 + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2020-03-30T07:20:35.000Z", "checkpoint": { "logid": "0", + "match_id": "1", "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "rule_action": "Accept" }, "destination": { - "port": 514, - "ip": "192.168.1.153" + "ip": "192.168.1.153", + "port": 514 }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + "ecs": { + "version": "8.0.0" }, - "source": { - "port": 43103, - "ip": "192.168.1.100" + "event": { + "action": "Accept", + "category": [ + "network" + ], + "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", + "outcome": "success", + "sequence": 1, + "type": [ + "allowed", + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "name": "Network", - "transport": "udp", "application": "syslog", + "direction": "outbound", "iana_number": "17", - "direction": "outbound" + "name": "Network", + "transport": "udp" }, "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", "egress": { "interface": { "name": "eth0" }, "zone": "External" - } - }, - "@timestamp": "2020-03-30T07:20:35.000Z", - "ecs": { - "version": "8.0.0" + }, + "ingress": { + "zone": "Local" + }, + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" }, "related": { "ip": [ @@ -1259,22 +1244,16 @@ "192.168.1.153" ] }, - "event": { - "sequence": 1, - "ingested": "2022-02-10T04:24:28.996440562Z", - "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", - "kind": "event", - "action": "Accept", - "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", - "category": [ - "network" - ], - "type": [ - "allowed", - "connection" - ], - "outcome": "success" - } + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "ip": "192.168.1.100", + "port": 43103 + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-common-config.yml b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-common-config.yml +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index e346513f6f8..f50e09ade7d 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -4,9 +4,6 @@ processors: - set: field: ecs.version value: '8.0.0' - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - rename: field: message target_field: event.original diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index a61254120d9..e46ad29fddb 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -203,7 +203,7 @@ description: | The operation nuber. - name: email_recipients_num - type: integer + type: long description: | Amount of recipients whom the mail was sent to. - name: suppressed_logs @@ -653,11 +653,11 @@ description: | Connection closing time. - name: icmp_type - type: integer + type: long description: | In case a connection is ICMP, type info will be added to the log. - name: icmp_code - type: integer + type: long description: | In case a connection is ICMP, code info will be added to the log. - name: rpc_prog diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 13dc7cca310..189b81f98cf 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -219,7 +219,7 @@ An example event for `firewall` looks as following: | checkpoint.email_message_id | Email session id (uniqe ID of the mail). | keyword | | checkpoint.email_queue_id | Postfix email queue id. | keyword | | checkpoint.email_queue_name | Postfix email queue name. | keyword | -| checkpoint.email_recipients_num | Amount of recipients whom the mail was sent to. | integer | +| checkpoint.email_recipients_num | Amount of recipients whom the mail was sent to. | long | | checkpoint.email_session_id | Connection uuid. | keyword | | checkpoint.email_spam_category | Email categories. Possible values: spam/not spam/phishing. | keyword | | checkpoint.email_status | Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended | keyword | @@ -268,8 +268,8 @@ An example event for `firewall` looks as following: | checkpoint.icap_server_service | Service name, as given in the ICAP URI | keyword | | checkpoint.icap_service_id | Service ID, can work with multiple servers, treated as services. | integer | | checkpoint.icmp | Number of packets, received by the client. | keyword | -| checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | integer | -| checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | integer | +| checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | long | +| checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | long | | checkpoint.id | Override application ID. | integer | | checkpoint.ike | IKEMode (PHASE1, PHASE2, etc..). | keyword | | checkpoint.ike_ids | All QM ids. | keyword | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 9b93dd76a4c..d0351da40be 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: 1.3.1 +version: 1.3.2 release: ga description: Collect logs from Check Point with Elastic Agent. type: integration