Filebeat module Checkpoint - add ECS authentication fields for SIEM

[leweafan]

Describe the enhancement:

Checkpoint log has authentication messages for successful and failed attempt. But ECS fields important for SIEM like
event.category, event.type, event.action, event.outcome are missing.

Authentication success/failure messages have event.action:

• "Log In"
• "Failed Log In"

Successful authentication message should have fields:

• event.category = "authentication"
• event.type = "start"
• event.outcome = "success"

Failed authentication message should have fields:

• event.category = "authentication"
• event.type = "start"
• event.outcome = "failure"

Describe a specific use case for the enhancement or feature:

<134>1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:"Failed Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}"; origin:"10.10.10.10"; originsicname:"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7"; sequencenum:"3"; time:"1657122788"; version:"5"; mac_address:"aa:aa:aa:aa:aa:aa"; product:"Connectra"]
<134>1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:"Log In"; flags:"150784"; ifdir:"inbound"; logid:"131073"; loguid:"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}"; origin:"10.10.10.10"; originsicname:"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7"; sequencenum:"1"; time:"1657123705"; version:"5"; auth_method:"User Authentication (Active Directory)"; auth_status:"Successful Login"; client_name:"Active Directory Query"; client_version:"R80.30"; domain_name:"xxx.com"; endpoint_ip:"11.11.11.11"; identity_src:"AD Query"; identity_type:"user"; product:"Identity Awareness"; roles:"Remote_Access_AR"; snid:"ccaaffdd"; src:"20.20.20.20"; src_user_group:"Remote_Access_Users; Remote_Admins; All Users; AD_Users"; src_user_name:"usrTest (usrTest)"; user:"usrTest (usrTest)"]

Steps to reproduce

POST /_ingest/pipeline/filebeat-7.17.4-checkpoint-firewall-pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "message": "<134>1 2022-07-06T15:53:08Z checkpoint-logs CheckPoint 2700 - [action:\"Failed Log In\"; flags:\"18688\"; ifdir:\"inbound\"; loguid:\"{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}\"; origin:\"10.10.10.10\"; originsicname:\"CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tsxtf7\"; sequencenum:\"3\"; time:\"1657122788\"; version:\"5\"; mac_address:\"aa:aa:aa:aa:aa:aa\"; product:\"Connectra\"]\n"
      }
    }
  ]
}

POST /_ingest/pipeline/filebeat-7.17.4-checkpoint-firewall-pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "message": "<134>1 2022-07-06T16:08:25Z checkpoint-logs CheckPoint 2700 - [action:\"Log In\"; flags:\"150784\"; ifdir:\"inbound\"; logid:\"131073\"; loguid:\"{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}\"; origin:\"10.10.10.10\"; originsicname:\"CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7\"; sequencenum:\"1\"; time:\"1657123705\"; version:\"5\"; auth_method:\"User Authentication (Active Directory)\"; auth_status:\"Successful Login\"; client_name:\"Active Directory Query\"; client_version:\"R80.30\"; domain_name:\"xxx.com\"; endpoint_ip:\"11.11.11.11\"; identity_src:\"AD Query\"; identity_type:\"user\"; product:\"Identity Awareness\"; roles:\"Remote_Access_AR\"; snid:\"ccaaffdd\"; src:\"20.20.20.20\"; src_user_group:\"Remote_Access_Users; Remote_Admins; All Users; AD_Users\"; src_user_name:\"usrTest (usrTest)\"; user:\"usrTest (usrTest)\"]\n"
      }
    }
  ]
}

Result

{
  "docs" : [
    {
      "doc" : {
        "_index" : "_index",
        "_type" : "_doc",
        "_id" : "_id",
        "_source" : {
          "checkpoint" : {
            "mac_address" : "aa:aa:aa:aa:aa:aa"
          },
          "observer" : {
            "name" : "10.10.10.10",
            "product" : "Connectra",
            "type" : "firewall",
            "vendor" : "Checkpoint"
          },
          "@timestamp" : "2022-07-06T15:53:08.000Z",
          "event" : {
            "sequence" : 3,
            "ingested" : "2022-07-06T16:07:56.807951471Z",
            "kind" : "event",
            "module" : "checkpoint",
            "action" : "Failed Log In",
            "id" : "{0xf17d1a9b,0x453b1e67,0xf27bccbf,0x233793e1}",
            "category" : [
              "network"
            ]
          },
          "network" : {
            "direction" : "inbound"
          }
        },
        "_ingest" : {
          "timestamp" : "2022-07-06T16:07:56.807951471Z"
        }
      }
    }
  ]
}

{
  "docs" : [
    {
      "doc" : {
        "_index" : "_index",
        "_type" : "_doc",
        "_id" : "_id",
        "_source" : {
          "checkpoint" : {
            "identity_src" : "AD Query",
            "auth_method" : "User Authentication (Active Directory)",
            "snid" : "ccaaffdd",
            "roles" : "Remote_Access_AR",
            "logid" : "131073",
            "auth_status" : "Successful Login",
            "client_version" : "R80.30",
            "identity_type" : "user",
            "client_name" : "Active Directory Query"
          },
          "observer" : {
            "name" : "10.10.10.10",
            "product" : "Identity Awareness",
            "type" : "firewall",
            "vendor" : "Checkpoint",
            "ip" : "11.11.11.11"
          },
          "@timestamp" : "2022-07-06T16:08:25.000Z",
          "related" : {
            "ip" : [
              "20.20.20.20"
            ]
          },
          "dns" : {
            "question" : {
              "name" : "xxx.com"
            }
          },
          "client" : {
            "user" : {
              "group" : {
                "name" : "Remote_Access_Users"
              }
            },
            "ip" : "20.20.20.20"
          },
          "source" : {
            "geo" : {
              "continent_name" : "North America",
              "country_name" : "United States",
              "location" : {
                "lon" : -97.822,
                "lat" : 37.751
              },
              "country_iso_code" : "US"
            },
            "as" : {
              "number" : 8075,
              "organization" : {
                "name" : "Microsoft Corporation"
              }
            },
            "user" : {
              "group" : {
                "name" : "Remote_Access_Users"
              }
            },
            "ip" : "20.20.20.20"
          },
          "event" : {
            "sequence" : 1,
            "ingested" : "2022-07-06T16:15:11.467667564Z",
            "kind" : "event",
            "module" : "checkpoint",
            "action" : "Log In",
            "id" : "{0xf40caad8,0x2dccf344,0xbf0fb0c8,0x6e943a48}",
            "category" : [
              "network"
            ]
          },
          "network" : {
            "direction" : "inbound"
          }
        },
        "_ingest" : {
          "timestamp" : "2022-07-06T16:15:11.467667564Z"
        }
      }
    }
  ]
}

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

@leweafan Can you check the syntax of the first event in the examples you have provided? The mac address is quoted with escaped double quotes. Is this intentional?

<134>1 2022-07-06T15:53:08Z ..... version:"5"; mac_address:\"aa:aa:aa:aa:aa:aa\"; ..... ectra"]

[leweafan]

@efd6 thanks for help with this issue! Your are right escape character is unnecessary. My bad. Fixed the message.

[andrewkroh]

@leweafan What model / version of Checkpoint were these log samples taken from?

It's useful to know the lineage of the log samples we have.

[leweafan]

@andrewkroh we have R80.30 and R80.40 versions.