From 4f6da4f9c6ac919d8824ba8b142f167544d45065 Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Tue, 14 Apr 2020 20:58:42 +0200
Subject: [PATCH] CEF CheckPoint: adjust fields for forward compatibility
(#17681)
This PR makes some changes to CEF module's custom mappings for Check Point
devices to ensure compatibility with the upcoming checkpoint module.
Check Point has its custom log format, for which a new module is being
prepared. The idea behind this new module as well as CEF custom mappings for
Check Point (this PR), is to use ECS whenever possible and map the rest
under checkpoint.* using the original field name from Check Point.
In the original PR for CEF, a few mistakes had been done in field names and
types. Also taking the opportunity to change some ECS mappings.
Related #16907 #17682
---
filebeat/docs/fields.asciidoc | 55 ++++++--------
filebeat/docs/modules/cef.asciidoc | 16 ++---
.../filebeat/module/cef/_meta/docs.asciidoc | 16 ++---
x-pack/filebeat/module/cef/fields.go | 2 +-
.../filebeat/module/cef/log/_meta/fields.yml | 72 ++++++++++++++-----
.../module/cef/log/ingest/cp-pipeline.yml | 36 ++++++----
.../cef/log/test/checkpoint.log-expected.json | 4 +-
7 files changed, 118 insertions(+), 83 deletions(-)
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index fa7bdb0aab24..6c0fac860bf5 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -4895,7 +4895,7 @@ type: keyword
--
Confidence level determined.
-type: keyword
+type: integer
--
@@ -4989,15 +4989,6 @@ type: long
--
-*`checkpoint.file_hash`*::
-+
---
-File hash (SHA1 or MD5).
-
-type: keyword
-
---
-
*`checkpoint.frequency`*::
+
--
@@ -5052,6 +5043,15 @@ type: keyword
--
+*`checkpoint.malware_family`*::
++
+--
+Malware family.
+
+type: keyword
+
+--
+
*`checkpoint.peer_gateway`*::
+
--
@@ -5066,7 +5066,7 @@ type: ip
--
Protection performance impact.
-type: keyword
+type: integer
--
@@ -5124,16 +5124,25 @@ type: keyword
--
-*`checkpoint.malware_status`*::
+*`checkpoint.spyware_name`*::
+
--
-Malware status.
+Spyware name.
type: keyword
--
-*`checkpoint.subscription_expiration`*::
+*`checkpoint.spyware_status`*::
++
+--
+Spyware status.
+
+type: keyword
+
+--
+
+*`checkpoint.subs_exp`*::
+
--
The expiration date of the subscription.
@@ -5196,24 +5205,6 @@ type: keyword
--
-*`checkpoint.malware_name`*::
-+
---
-Malware name.
-
-type: keyword
-
---
-
-*`checkpoint.malware_family`*::
-+
---
-Malware family.
-
-type: keyword
-
---
-
*`checkpoint.voip_log_type`*::
+
--
diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc
index bb5b77dee42e..38ac4e4cd5b0 100644
--- a/filebeat/docs/modules/cef.asciidoc
+++ b/filebeat/docs/modules/cef.asciidoc
@@ -70,9 +70,9 @@ Check Point CEF extensions are mapped as follows:
| deviceInboundInterface | - | observer.ingress.interface.name | - |
| deviceOutboundInterface | - | observer.egress.interface.name | - |
| externalId | - | - | checkpoint.uuid |
-| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
+| fileHash | - | file.hash.{md5,sha1} | - |
| reason | - | - | checkpoint.termination_reason |
-| checkrequestCookies | - | - | checkpoint.cookie |
+| requestCookies | - | - | checkpoint.cookie |
| sourceNtDomain | - | dns.question.name | - |
| Signature | - | vulnerability.id | - |
| Recipient | - | destination.user.email | - |
@@ -80,7 +80,7 @@ Check Point CEF extensions are mapped as follows:
| deviceCustomFloatingPoint1 | update version | observer.version | - |
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
-.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
+.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
| email recipients number | - | checkpoint.email_recipients_num |
| payload | network.bytes | - |
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
@@ -100,9 +100,9 @@ Check Point CEF extensions are mapped as follows:
| update status | - | checkpoint.update_status |
| peer gateway | - | checkpoint.peer_gateway |
| categories | rule.category | - |
-.4+| deviceCustomString6 | application name | process.name | - |
+.4+| deviceCustomString6 | application name | network.application | - |
| virus name | - | checkpoint.virus_name |
- | malware name | - | checkpoint.malware_name |
+ | malware name | - | checkpoint.spyware_name |
| malware family | - | checkpoint.malware_family |
.5+| deviceCustomString3 | user group | group.name | - |
| incident extension | - | checkpoint.incident_extension |
@@ -122,15 +122,15 @@ Check Point CEF extensions are mapped as follows:
| vlan id | network.vlan.id | - |
| authentication method | - | checkpoint.auth_method |
| email session id | - | checkpoint.email_session_id |
-| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
+| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
| destination phone number | - | checkpoint.dst_phone_number |
| flexString1 | application signature id | - | checkpoint.app_sig_id |
-.2+| flexString2 | malware action | event.action | - |
+.2+| flexString2 | malware action | rule.description | - |
| attack information | event.action | - |
| rule_uid | - | rule.uuid | - |
-| ifname | - | observer.ingress.interface.name | - |
+| ifname | - | observer.ingress.interface.name | - |
| inzone | - | observer.ingress.zone | - |
| outzone | - | observer.egress.zone | - |
| product | - | observer.product | - |
diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc
index d3f97e011dd9..00d2ab1e7914 100644
--- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc
@@ -65,9 +65,9 @@ Check Point CEF extensions are mapped as follows:
| deviceInboundInterface | - | observer.ingress.interface.name | - |
| deviceOutboundInterface | - | observer.egress.interface.name | - |
| externalId | - | - | checkpoint.uuid |
-| fileHash | - | file.hash.{md5,sha1} | checkpoint.file_hash |
+| fileHash | - | file.hash.{md5,sha1} | - |
| reason | - | - | checkpoint.termination_reason |
-| checkrequestCookies | - | - | checkpoint.cookie |
+| requestCookies | - | - | checkpoint.cookie |
| sourceNtDomain | - | dns.question.name | - |
| Signature | - | vulnerability.id | - |
| Recipient | - | destination.user.email | - |
@@ -75,7 +75,7 @@ Check Point CEF extensions are mapped as follows:
| deviceCustomFloatingPoint1 | update version | observer.version | - |
| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
-.3+| deviceCustomNumber1 | elapsed time in seconds | host.uptime | - |
+.3+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
| email recipients number | - | checkpoint.email_recipients_num |
| payload | network.bytes | - |
.2+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
@@ -95,9 +95,9 @@ Check Point CEF extensions are mapped as follows:
| update status | - | checkpoint.update_status |
| peer gateway | - | checkpoint.peer_gateway |
| categories | rule.category | - |
-.4+| deviceCustomString6 | application name | process.name | - |
+.4+| deviceCustomString6 | application name | network.application | - |
| virus name | - | checkpoint.virus_name |
- | malware name | - | checkpoint.malware_name |
+ | malware name | - | checkpoint.spyware_name |
| malware family | - | checkpoint.malware_family |
.5+| deviceCustomString3 | user group | group.name | - |
| incident extension | - | checkpoint.incident_extension |
@@ -117,15 +117,15 @@ Check Point CEF extensions are mapped as follows:
| vlan id | network.vlan.id | - |
| authentication method | - | checkpoint.auth_method |
| email session id | - | checkpoint.email_session_id |
-| deviceCustomDate2 | subscription expiration | - | checkpoint.subscription_expiration |
+| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
.2+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
| destination phone number | - | checkpoint.dst_phone_number |
| flexString1 | application signature id | - | checkpoint.app_sig_id |
-.2+| flexString2 | malware action | event.action | - |
+.2+| flexString2 | malware action | rule.description | - |
| attack information | event.action | - |
| rule_uid | - | rule.uuid | - |
-| ifname | - | observer.ingress.interface.name | - |
+| ifname | - | observer.ingress.interface.name | - |
| inzone | - | observer.ingress.zone | - |
| outzone | - | observer.egress.zone | - |
| product | - | observer.product | - |
diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go
index 217d805818d1..5e33a41c840d 100644
--- a/x-pack/filebeat/module/cef/fields.go
+++ b/x-pack/filebeat/module/cef/fields.go
@@ -19,5 +19,5 @@ func init() {
// AssetCef returns asset data.
// This is the base64 encoded gzipped contents of module/cef.
func AssetCef() string {
- return "eJy8mctu7DYPx/d5Ci6/b5EAXXQziwIHubSDIsUASc9WUGTaw44sqhLtZPr0heS5nWQSOXbQWQW29fuTFCWRyiVscLsAg/Vly1Vn8QJASCwu4Pr27gKgwmgCeSF2C/jlAgDgPn8INQcIaJB6ck36Giw3EbjHAA/baLm5gsc1wsAFXVURenQVh0yJHg3VZKAmtFUEcukTSkIgDLLG/Zv0Z4WGK1QGa/CBDca4w/jAPVUYry5g9/0iP0+/S3C6xUWy1KBncnJ4BSBbjwtoAnf+5GmFte6sqIxaQK1txB9ev4nG/nc3GJuicnfQg+suCrfwICEFqdXek2viycDXNp/a3VPooqLqh5d7yze4febw+t0HBqbf90SE5c3hxds/9uJmjWbzHwbtOunBKkfNDFGLP0btamTYtPcqUNxMDds37y0ZnTMxca7eBum1XMQeA8n2KyRlHVAL7JFj1KmZkSVpjUZqnJYuICxv4HlNZp1XnT4x61lHqFDQCFbwVDSrk7VqUdY82a6VjjF9k1noZG+IDyxs2EIXsSqYYbRgw2HyvFzvxpdk2NVUoTOoLPZoJ8sdOJA5OeChJVd2lJ1DI9STbFUULTjDhgMJMqkozRuaLLf8/XZHKMhUUZRfs0PluvYJw1TBG4xCbkil5epylZAFaWw1WWXYSeDJc3vrGnKYiaPkpi/opRMMTtsBBMubUXoBDXlCJzEF+Ky2Zdd8JPxHnhjgGo6wUdoRYyR2X+fzDjjW9+iZvzDiGTdau3v6C41MTqtBcYCUBHt0ogx37rzc+PnNpAg6Rjak04nwTDKcGanu+9iMmiyqtY7rqT7fkUVIAPjfw2/ffgIOcH/z8/9LsgH/7tCZyYfBg9HuSCmokWm9SuhJkV5e36/yp2NUUmU8XSWNLqlU6fiV7fv+jFkjO8got5zJmgpfBF1ayZNThUOrJaUsB2oordFKiy7qCzap+FK6V+R63uAs33PmDJwx7nvEoBot+KzPJyv5j9TuNaWjLTmdFmSiwQOaLjkEvw7YogWhTpFLFQ21Xk/fn1aBU82YC7cjFAZoyYrD2Bl784kBrbbPOte444XTg8nTvm9xj+V1wu0nRotoU+ouTkyZk4GPW591j7hcPqdOeyjqx1sUjXYqYOzs5KTI62FAlMTQRQ6qfW+LGyOWEdCW97m5Xdzjpzq3XTbmar2LUzXvdzk9UEoOdk+HoQpfPIVcB5/Vrt72EG/axiMif75P7FOZgkVivKqtbib7/3i9Aq/NBgUyp6SX26lssgqo4/ST5fFIgoFUkO58itHM6f4zQ8bNdhcxzJWLGNJC9exiafV03fRN+vZlV0AXt+bhTmzOrjzcgY3ow/YLdI7Yfnl+Qq7WLdnJe9BecKCUgsnkleVm1tHynZerVPXnEedy8nBRgPXVoaA7TcmvvlW8fZGgd3fNl4d75qP0RxeJZ+NkvPrUpeJ7kE8dMOcr03p0Nr5T2f7DbsZ4q7cY1Oil/gFjnh+Wm1kmcDPLhVaLWY8tSs8SnBalq0qcVaGz+N6Vy2jWbMjQH80dH8nMm1juZF6Geh1S5xiG/2VNhQSuupFNz1lAklfavFtdjYfMytM4XFbMy4yIoafUCM4wpMdQbOP/DQAA//8I9Guw"
+ return "eJy8mdtu67YShu/zFPMCyQP4YgMbORRGsQoDSdctwVAjmbXEYcmhHPfpC1I+JVFMuQqXrwxTmv/zz+FhyFvY4G4BCuvbjqrQ4g0Aa25xAfePTzcAFXrltGVNZgH/uwEA+JEehJocOFSoe22a+DS01HigHh0873xLzR28rBGGuCCrykOPpiKXoniLStdaQa2xrTxoEx/RUQiYgNd4aIlfK1RUoVBYg3Wk0Pt9GOuo1xX6uxvYP79Iv8fPLRjZ4SKSKrSkDR+bAHhncQGNo2DPfq2wlqFlkUItoJatx3fNn9w4fJ4G2OjK01EP7oNn6uCZXTSpk9Zq0/izFz8yn3P32gUvdPWu8UC+wd2W3Me2C4Dx8zNGhOXDseHzl4O4WqPa/ELT7qMerJJranDNv3ftbqJt0lrhtN9cYVtM2q3TjAtgF/CSqf+3ttVKpjyNKnefLfwI47FHp3lXHojXDiXDQXAKm26uy7AryOLo97oxkoNDWD7Adq3VOo1neQa9lR4qZFSMFbxmoQOvRYe8pkLUK+l9jJCU0PAB0zpiUtRC8FhlIJVkbMgV6vH7ffQcBJlaV2gUihZ7bEdhtGFs0M2AOapAUkld6Tpt8iaRMahY95p3wrPkjzrfZdeZDiSdLBhtdCGY5e+P+/gZiMqzsGsyKEzoXj/10DfhPKBnbYYEX65uV1EwA4ad1K1QZNjReE7Npno0jTaY9CbBlJrAlobRGdkOMrB8mETjUGmr0bCPXTdK1pJp/jvWHykhgGo4SU0i8+i9JvOr/NrLTfXNW6KRvrysP05+DWRUnYwYXv9CxYWyfuAZJHI4PRoWioIZh/muBEs6HqT3pLSMC/RW87CExw3+Zcja4d8BjSq0DD4raU4aGRatOiuicAG7lvc/VinQFIZYx5RiiLFzDFXc0vDuay/mzwJ7iUmWGJWIBL4xmjhblGF6ItdJjhlNTjc6Dv9KsszSMTZxIy1kL7TpaYMFfUv5PKhMsa6T7VY6FLXsdFtoiP0YNGDQyABZRCcaybiV4zjaziHRcYcSezBOPlELnlGF2Dvw2yCa5XN1TIO4IdadlV/M47N3xCtHsZhJNcNJEgbJHOPx3WKL9BnePoXyq98ZVvyhUP4fToRONWMUO3S5ZJYqV26fgZYbqC87m6hOYqkmBKZ9HTud1ytphEMf2kKbijSpDAI5FDSenOi+Wp/moyQB6PKLVNkDk5erDkm83aVptmTeJ4Up5c4BJlaxwZfFGTRyQOHVC3z7OLEPKNXnkv7K0yN8s9oN1WkMdpgKourhwQwgKyvqVjaFzHq5X4GVaoMMSSVHk05G0h8SDqUvtd15OenAoJMBCzb6WzSv/kwS09IqeHRlYTy6OC1aMj436EIotRQ/vu1L0ewCPFwFlJuDhouBCTNQT9qKlpqCy+tPWq5idZnijWXK8ZwO67tj3XCeKN99TfH4xk7uL69ujxdXJ+lLNxOjLiorrrql+CrIVQvleIlTT06qL0qkf8jMeL+VO3Ri8hC7EGPe/2ipmYVAzay/0ElW66lb/tEIRrKQVcWmFS60+NXJ4+RYs4MMhfbc971W8zqWAs/LUCsdmsGPGUEcVWHiweFogCgvZCo2ZgaZlad+OG2blxkeXa9jET4DpEeXPS36NwAA//+5zok/"
}
diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml
index 40f6cdb4bfb9..264e15e12edf 100644
--- a/x-pack/filebeat/module/cef/log/_meta/fields.yml
+++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml
@@ -18,170 +18,208 @@
fields:
- name: app_risk
type: keyword
+ overwrite: true
description: Application risk.
- name: app_severity
type: keyword
+ overwrite: true
description: Application threat severity.
- name: app_sig_id
type: keyword
+ overwrite: true
description: The signature ID which the application was detected by.
- name: auth_method
type: keyword
+ overwrite: true
description: Password authentication protocol used.
- name: category
type: keyword
+ overwrite: true
description: Category.
- name: confidence_level
- type: keyword
+ type: integer
+ overwrite: true
description: Confidence level determined.
- name: connectivity_state
type: keyword
+ overwrite: true
description: Connectivity state.
- name: cookie
type: keyword
+ overwrite: true
description: IKE cookie.
- name: dst_phone_number
type: keyword
+ overwrite: true
description: Destination IP-Phone.
- name: email_control
type: keyword
+ overwrite: true
description: Engine name.
- name: email_id
type: keyword
+ overwrite: true
description: Internal email ID.
- name: email_recipients_num
type: long
+ overwrite: true
description: Number of recipients.
- name: email_session_id
type: keyword
+ overwrite: true
description: Internal email session ID.
- name: email_spool_id
+ overwrite: true
type: keyword
+
description: Internal email spool ID.
- name: email_subject
type: keyword
+ overwrite: true
description: Email subject.
- name: event_count
type: long
+ overwrite: true
description: Number of events associated with the log.
- - name: file_hash
- type: keyword
- description: File hash (SHA1 or MD5).
-
- name: frequency
type: keyword
+ overwrite: true
description: Scan frequency.
- name: icmp_type
type: long
+ overwrite: true
description: ICMP type.
- name: icmp_code
type: long
+ overwrite: true
description: ICMP code.
- name: identity_type
type: keyword
+ overwrite: true
description: Identity type.
- name: incident_extension
type: keyword
+ overwrite: true
description: Format of original data.
- name: integrity_av_invoke_type
type: keyword
+ overwrite: true
description: Scan invoke type.
+ - name: malware_family
+ type: keyword
+ overwrite: true
+ description: Malware family.
+
- name: peer_gateway
type: ip
+ overwrite: true
description: Main IP of the peer Security Gateway.
- name: performance_impact
- type: keyword
+ type: integer
+ overwrite: true
description: Protection performance impact.
- name: protection_id
type: keyword
+ overwrite: true
description: Protection malware ID.
- name: protection_name
type: keyword
+ overwrite: true
description: Specific signature name of the attack.
- name: protection_type
type: keyword
+ overwrite: true
description: Type of protection used to detect the attack.
- name: scan_result
type: keyword
+ overwrite: true
description: Scan result.
- name: sensor_mode
type: keyword
+ overwrite: true
description: Sensor mode.
- name: severity
type: keyword
+ overwrite: true
description: Threat severity.
- - name: malware_status
+ - name: spyware_name
type: keyword
- description: Malware status.
+ overwrite: true
+ description: Spyware name.
- - name: subscription_expiration
+ - name: spyware_status
+ type: keyword
+ overwrite: true
+ description: Spyware status.
+
+ - name: subs_exp
type: date
+ overwrite: true
description: The expiration date of the subscription.
- name: tcp_flags
type: keyword
+ overwrite: true
description: TCP packet flags.
- name: termination_reason
type: keyword
+ overwrite: true
description: Termination reason.
- name: update_status
type: keyword
+ overwrite: true
description: Update status.
- name: user_status
type: keyword
+ overwrite: true
description: User response.
- name: uuid
type: keyword
+ overwrite: true
description: External ID.
- name: virus_name
type: keyword
+ overwrite: true
description: Virus name.
- - name: malware_name
- type: keyword
- description: Malware name.
-
- - name: malware_family
- type: keyword
- description: Malware family.
-
- name: voip_log_type
type: keyword
+ overwrite: true
description: VoIP log types.
- name: cef.extensions
diff --git a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml
index f3f38355ed91..eea2f8fd5926 100644
--- a/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml
+++ b/x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml
@@ -76,7 +76,7 @@ processors:
- name: deviceExternalId
to: observer.type
- # Product Family
+ # Product Family (override deviceExternalId if present).
- name: deviceFacility
to: observer.type
convert:
@@ -104,6 +104,10 @@ processors:
to: checkpoint.termination_reason
# Possibly an IKE cookie
+ - name: requestCookies
+ to: checkpoint.cookie
+
+ # Probably a typo in CP's CEF docs
- name: checkrequestCookies
to: checkpoint.cookie
@@ -136,7 +140,7 @@ processors:
- name: deviceCustomNumber1
labels:
payload: network.bytes
- elapsed time in seconds: host.uptime
+ elapsed time in seconds: event.duration
email recipients number: checkpoint.email_recipients_num
- name: deviceCustomNumber2
@@ -172,9 +176,9 @@ processors:
- name: deviceCustomString6
labels:
- application name: process.name
+ application name: network.application
virus name: checkpoint.virus_name
- malware name: checkpoint.malware_name
+ malware name: checkpoint.spyware_name
malware family: checkpoint.malware_family
- name: deviceCustomString3
@@ -208,7 +212,7 @@ processors:
- name: deviceCustomDate2
labels:
- subscription expiration: checkpoint.subscription_expiration
+ subscription expiration: checkpoint.subs_exp
- name: deviceFlexNumber1
labels:
@@ -225,7 +229,7 @@ processors:
- name: flexString2
labels:
- malware action: event.action
+ malware action: rule.description
attack information: event.action
- name: rule_uid
@@ -295,15 +299,19 @@ processors:
field: event.duration
ignore_missing: true
- # checkpoint.file_hash can be either MD5 or SHA1.
- - set:
- field: file.hash.md5
- value: '{{checkpoint.file_hash}}'
+ # checkpoint.file_hash can be either MD5, SHA1 or SHA256.
+ - rename:
+ field: checkpoint.file_hash
+ target_field: file.hash.md5
if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32'
- - set:
- field: file.hash.sha1
- value: '{{checkpoint.file_hash}}'
+ - rename:
+ field: checkpoint.file_hash
+ target_field: file.hash.sha1
if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40'
+ - rename:
+ field: checkpoint.file_hash
+ target_field: file.hash.sha256
+ if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64'
# Event kind is 'event' by default. 'alert' when a risk score and rule info
# is present.
@@ -324,7 +332,7 @@ processors:
- set:
field: event.category
value: malware
- if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.malware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null'
+ if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null'
- set:
field: event.category
value: intrusion_detection
diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json
index 0cc100922d00..1dce9c9aae7c 100644
--- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json
+++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json
@@ -116,8 +116,7 @@
"cef.severity": "Unknown",
"cef.version": "0",
"checkpoint.email_control": "SMTP Policy Restrictions",
- "checkpoint.file_hash": "55f4a511e6f630a6b1319505414f114e7bcaf13d",
- "checkpoint.subscription_expiration": "2020-04-11T10:42:13.000Z",
+ "checkpoint.subs_exp": "2020-04-11T10:42:13.000Z",
"destination.port": 25,
"event.action": "Bypass",
"event.code": "Log",
@@ -165,7 +164,6 @@
"cef.version": "0",
"checkpoint.app_risk": "High",
"checkpoint.event_count": "12",
- "checkpoint.file_hash": "580a783c1cb2b20613323f715d231a69",
"checkpoint.severity": "Very-High",
"destination.ip": "::1",
"event.action": "Drop",