Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM][CEF] Add support for Check Point devices #16907

Merged
merged 11 commits into from
Mar 18, 2020
Next Next commit
Make CEF key name mapping case-insensitive
There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to
ignore case when mapping keys to full names.
adriansr committed Mar 18, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 5aed15128e7e8d548cd3b6a8e7231ad86ce9efbf
Empty file.
Empty file.
2 changes: 1 addition & 1 deletion x-pack/filebeat/processors/decode_cef/cef/cef.go
Original file line number Diff line number Diff line change
@@ -124,7 +124,7 @@ func (e *Event) Unpack(data string, opts ...Option) error {
}

for key, field := range e.Extensions {
mapping, found := extensionMapping[key]
mapping, found := extensionMappingLowerCase[strings.ToLower(key)]
if !found {
continue
}
10 changes: 10 additions & 0 deletions x-pack/filebeat/processors/decode_cef/cef/keys.go
Original file line number Diff line number Diff line change
@@ -4,6 +4,8 @@

package cef

import "strings"

type mappedField struct {
Target string
Type DataType
@@ -657,3 +659,11 @@ var extensionMapping = map[string]mappedField{
Type: TimestampType,
},
}

var extensionMappingLowerCase = map[string]mappedField{}

func init() {
for k, v := range extensionMapping {
extensionMappingLowerCase[strings.ToLower(k)] = v
}
}
Original file line number Diff line number Diff line change
@@ -948,7 +948,6 @@
"agentType": "agent_ac",
"agentVersion": "7.1.7.7602.0",
"assetCriticality": "0",
"c6a4Label": "Agent IPv6 Address",
"categoryBehavior": "/Access/Stop",
"categoryDeviceGroup": "/Firewall",
"categoryDeviceType": "Firewall",
@@ -958,6 +957,7 @@
"deviceAddress": "111.111.111.99",
"deviceAssetId": "5Wa8hHVSDFBCc-t56wI7mTw==",
"deviceCustomIPv6Address4": "ffff:0:0:0:222:5555:ffff:5555",
"deviceCustomIPv6Address4Label": "Agent IPv6 Address",
"deviceCustomNumber1Label": "ICMP Type",
"deviceCustomNumber2Label": "ICMP Code",
"deviceCustomNumber3Label": "DurationInSeconds",