x-pack/filebeat/module/checkpoint: add authentication operation outco…

…me mapping (#32431)
elastic · Jul 21, 2022 · adf57ad · adf57ad
1 parent 1476d87
commit adf57ad
Show file tree

Hide file tree

Showing 7 changed files with 195 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -115,6 +115,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Add references for CRI-O configuration in input-container and in our kubernetes manifests {issue}32149[32149] {pull}32151[32151]
 - httpjson input: Add `replaceAll` helper function to template context. {pull}32365[32365]
 - Optimize grok patterns in system.auth module pipeline. {pull}32360[32360]
+- Checkpoint module: add authentication operation outcome enrichment. {issue}32230[32230] {pull}32431[32431]
 
 *Auditbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -16862,6 +16862,16 @@ type: integer
 
 --
 
+*`checkpoint.identity_src`*::
++
+--
+The source for authentication identity information.
+
+
+type: keyword
+
+--
+
 *`checkpoint.information`*::
 +
 --
@@ -17438,6 +17448,16 @@ type: keyword
 Risk level we got from the engine.
 
 
+type: keyword
+
+--
+
+*`checkpoint.roles`*::
++
+--
+The role of identity.
+
+
 type: keyword
 
 --
@@ -19878,6 +19898,16 @@ type: keyword
 Reports whether watermark is added to the cleaned file.
 
 
+type: keyword
+
+--
+
+*`checkpoint.snid`*::
++
+--
+The Check Point session ID.
+
+
 type: keyword
 
 --
@@ -20408,6 +20438,16 @@ type: keyword
 Password authentication protocol used (PAP or EAP).
 
 
+type: keyword
+
+--
+
+*`checkpoint.auth_status`*::
++
+--
+The authentication status for an event.
+
+
 type: keyword
 
 --

diff --git a/x-pack/filebeat/module/checkpoint/fields.go b/x-pack/filebeat/module/checkpoint/fields.go
diff --git a/x-pack/filebeat/module/checkpoint/firewall/_meta/fields.yml b/x-pack/filebeat/module/checkpoint/firewall/_meta/fields.yml
@@ -76,6 +76,11 @@
       description: >
         Override application ID.
 
+    - name: identity_src
+      type: keyword
+      description: >
+        The source for authentication identity information.
+
     - name: information
       type: keyword
       overwrite: true
@@ -424,6 +429,11 @@
       description: >
         Risk level we got from the engine.
 
+    - name: roles
+      type: keyword
+      description: >
+        The role of identity.
+
     - name: observable_name
       type: keyword
       overwrite: true
@@ -1888,6 +1898,11 @@
       description: >
         Reports whether watermark is added to the cleaned file.
 
+    - name: snid
+      type: keyword
+      description: >
+        The Check Point session ID.
+
     - name: source_object
       type: keyword
       overwrite: true
@@ -2206,6 +2221,11 @@
       description: >
         Password authentication protocol used (PAP or EAP).
 
+    - name: auth_status
+      type: keyword
+      description: >
+        The authentication status for an event.
+
     - name: machine
       type: keyword
       overwrite: true

diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml
@@ -243,6 +243,34 @@ processors:
       field: event.category
       value: intrusion_detection
       if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+  - set:
+      field: event.outcome
+      value: success
+      if: ctx.checkpoint?.action == 'Log In'
+  - set:
+      field: event.outcome
+      value: failure
+      if: ctx.checkpoint?.action == 'Failed Log In'
+  - append:
+      field: event.category
+      value: authentication
+      if: "['Log In', 'Failed Log In'].contains(ctx.checkpoint?.action)"
+  - append:
+      field: event.type
+      value: allowed
+      if: ctx.checkpoint?.action == 'Log In'
+  - set:
+      field: checkpoint.action
+      value: logged-in
+      if: ctx.checkpoint?.action == 'Log In'
+  - append:
+      field: event.type
+      value: denied
+      if: ctx.checkpoint?.action == 'Failed Log In'
+  - set:
+      field: checkpoint.action
+      value: logon-failed
+      if: ctx.checkpoint?.action == 'Failed Log In'
   - append:
       field: related.ip
       value: "{{source.ip}}"
@@ -481,6 +509,18 @@ processors:
       field: checkpoint.origin
       target_field: observer.name
       ignore_missing: true
+  - rename:
+      field: checkpoint.mac_address
+      target_field: observer.mac
+      ignore_missing: true
+  - gsub:
+      field: observer.mac
+      ignore_missing: true
+      pattern: '[:]'
+      replacement: '-'
+  - uppercase:
+      field: observer.mac
+      ignore_missing: true
   - rename:
       field: checkpoint.origin_ip
       target_field: observer.ip

diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/R80.X.log b/x-pack/filebeat/module/checkpoint/firewall/test/R80.X.log
@@ -0,0 +1,2 @@
+<134>1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:"Failed Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}"; origin:"216.160.83.56"; originsicname:"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7"; sequencenum:"3"; time:"1657122788"; version:"5"; mac_address:"aa:aa:aa:aa:aa:aa"; product:"Connectra"]
+<134>1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:"Log In"; flags:"150784"; ifdir:"inbound"; logid:"131073"; loguid:"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}"; origin:"216.160.83.56"; originsicname:"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7"; sequencenum:"1"; time:"1657123705"; version:"5"; auth_method:"User Authentication (Active Directory)"; auth_status:"Successful Login"; client_name:"Active Directory Query"; client_version:"R80.30"; domain_name:"xxx.com"; endpoint_ip:"81.2.69.142"; identity_src:"AD Query"; identity_type:"user"; product:"Identity Awareness"; roles:"Remote_Access_AR"; snid:"ccaaffdd"; src:"81.2.69.192"; src_user_group:"Remote_Access_Users; Remote_Admins; All Users; AD_Users"; src_user_name:"usrTest (usrTest)"; user:"usrTest (usrTest)"]
diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/R80.X.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/R80.X.log-expected.json
@@ -0,0 +1,91 @@
+[
+    {
+        "@timestamp": "2022-07-06T15:53:08.000Z",
+        "event.action": "logon-failed",
+        "event.category": [
+            "authentication",
+            "network"
+        ],
+        "event.dataset": "checkpoint.firewall",
+        "event.id": "{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}",
+        "event.kind": "event",
+        "event.module": "checkpoint",
+        "event.outcome": "failure",
+        "event.sequence": 3,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "denied"
+        ],
+        "fileset.name": "firewall",
+        "input.type": "log",
+        "log.offset": 0,
+        "network.direction": "inbound",
+        "observer.mac": "AA-AA-AA-AA-AA-AA",
+        "observer.name": "216.160.83.56",
+        "observer.product": "Connectra",
+        "observer.type": "firewall",
+        "observer.vendor": "Checkpoint",
+        "service.type": "checkpoint",
+        "tags": [
+            "checkpoint-firewall",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2022-07-06T16:08:25.000Z",
+        "checkpoint.auth_method": "User Authentication (Active Directory)",
+        "checkpoint.auth_status": "Successful Login",
+        "checkpoint.client_name": "Active Directory Query",
+        "checkpoint.client_version": "R80.30",
+        "checkpoint.identity_src": "AD Query",
+        "checkpoint.identity_type": "user",
+        "checkpoint.logid": "131073",
+        "checkpoint.roles": "Remote_Access_AR",
+        "checkpoint.snid": "ccaaffdd",
+        "client.ip": "81.2.69.192",
+        "client.user.group.name": "Remote_Access_Users",
+        "dns.question.name": "xxx.com",
+        "event.action": "logged-in",
+        "event.category": [
+            "authentication",
+            "network"
+        ],
+        "event.dataset": "checkpoint.firewall",
+        "event.id": "{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}",
+        "event.kind": "event",
+        "event.module": "checkpoint",
+        "event.outcome": "success",
+        "event.sequence": 1,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "allowed"
+        ],
+        "fileset.name": "firewall",
+        "input.type": "log",
+        "log.offset": 372,
+        "network.direction": "inbound",
+        "observer.ip": "81.2.69.142",
+        "observer.name": "216.160.83.56",
+        "observer.product": "Identity Awareness",
+        "observer.type": "firewall",
+        "observer.vendor": "Checkpoint",
+        "related.ip": [
+            "81.2.69.192"
+        ],
+        "service.type": "checkpoint",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.192",
+        "source.user.group.name": "Remote_Access_Users",
+        "tags": [
+            "checkpoint-firewall",
+            "forwarded"
+        ]
+    }
+]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		<134>1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:"Failed Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}"; origin:"216.160.83.56"; originsicname:"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7"; sequencenum:"3"; time:"1657122788"; version:"5"; mac_address:"aa:aa:aa:aa:aa:aa"; product:"Connectra"]
		<134>1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:"Log In"; flags:"150784"; ifdir:"inbound"; logid:"131073"; loguid:"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}"; origin:"216.160.83.56"; originsicname:"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7"; sequencenum:"1"; time:"1657123705"; version:"5"; auth_method:"User Authentication (Active Directory)"; auth_status:"Successful Login"; client_name:"Active Directory Query"; client_version:"R80.30"; domain_name:"xxx.com"; endpoint_ip:"81.2.69.142"; identity_src:"AD Query"; identity_type:"user"; product:"Identity Awareness"; roles:"Remote_Access_AR"; snid:"ccaaffdd"; src:"81.2.69.192"; src_user_group:"Remote_Access_Users; Remote_Admins; All Users; AD_Users"; src_user_name:"usrTest (usrTest)"; user:"usrTest (usrTest)"]