Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][CEF] Add support for Check Point devices #16907

Merged
merged 11 commits into from
Mar 18, 2020
Merged

[SIEM][CEF] Add support for Check Point devices #16907

merged 11 commits into from
Mar 18, 2020

Commits on Mar 18, 2020

  1. Make CEF key name mapping case-insensitive 

    There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to
ignore case when mapping keys to full names.
    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    5aed151 View commit details
    Browse the repository at this point in the history

  2. Add missing custom CEF extensions 

    This adds:
 - `deviceCustomIPv6Address2(Label)`: Only 1, 3 and 4 were expected.
 - `flexNumber[12](Label)`: These two alternative custom numbers were
   dropped after V23 of the spec, but still used by some vendors.

[Maybe unnecessary] changes:

 - Changed the case of `DeviceCustomNumber2` from uppercase as
   documented) to lowercase to align with the other fields.
    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    9639d3a View commit details
    Browse the repository at this point in the history

  3. CEF module: Support Check Point devices 

    This adds a new ingest pipeline and fields to populate from Check Point
CEF logs.

Closes elastic#16041
    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    b2210e7 View commit details
    Browse the repository at this point in the history

  4. Add docs

    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    e3f9f86 View commit details
    Browse the repository at this point in the history

  5. Changelog entry

    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    92a30c0 View commit details
    Browse the repository at this point in the history

  6. Add PR number

    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    aae6071 View commit details
    Browse the repository at this point in the history

  7. Update decode_cef golden files

    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    2db8b7a View commit details
    Browse the repository at this point in the history

  8. Remove temporary ECS fields after rebase

    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    ab3418c View commit details
    Browse the repository at this point in the history

  9. observer.interface -> observer.ingress.interface

    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    98f9f17 View commit details
    Browse the repository at this point in the history

  10. Try to populate some event categorisation fields

    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    d17acce View commit details
    Browse the repository at this point in the history

  11. Update golden files

    @adriansr
    adriansr committed Mar 18, 2020
    Configuration menu
    Copy the full SHA
    81a7702 View commit details
    Browse the repository at this point in the history