Skip to content

Commit

Permalink
[Filebeat] Allow cef and checkpoint modules to override network direc…
Browse files Browse the repository at this point in the history
…tionality based off of zones (elastic#23066)

* [Filebeat] Allow cef and checkpoint modules to override network directionality based off of zones

* Remove _temp_

* Add changelog entry

* run mage update and add variable reference

* Don't override categorization if no zone set

* Update cef pipeline
  • Loading branch information
Andrew Stucki authored Dec 10, 2020
1 parent 462537d commit f52e452
Show file tree
Hide file tree
Showing 13 changed files with 205 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -759,6 +759,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add top_level_domain enrichment for suricata/eve fileset. {pull}23046[23046]
- Add top_level_domain enrichment for zeek/dns fileset. {pull}23046[23046]
- Add `network.direction` to netflow/log fileset. {pull}23052[23052]
- Allow cef and checkpoint modules to override network directionality based off of zones {pull}23066[23066]

*Heartbeat*

Expand Down
16 changes: 16 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,14 @@ filebeat.modules:
syslog_host: localhost
syslog_port: 9003

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

#------------------------------ Checkpoint Module ------------------------------
- module: checkpoint
firewall:
Expand All @@ -476,6 +484,14 @@ filebeat.modules:
# The UDP port to listen for syslog traffic. Defaults to 9001.
#var.syslog_port: 9001

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

#-------------------------------- Cisco Module --------------------------------
- module: cisco
asa:
Expand Down
8 changes: 8 additions & 0 deletions x-pack/filebeat/module/cef/_meta/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,11 @@
var:
syslog_host: localhost
syslog_port: 9003

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]
14 changes: 14 additions & 0 deletions x-pack/filebeat/module/cef/log/config/input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,17 @@ processors:
target: ''
fields:
ecs.version: 1.7.0

{{ if .external_zones }}
- add_fields:
target: _temp_
fields:
external_zones: {{ .external_zones | tojson }}
{{ end }}

{{ if .internal_zones }}
- add_fields:
target: _temp_
fields:
internal_zones: {{ .internal_zones | tojson }}
{{ end }}
61 changes: 61 additions & 0 deletions x-pack/filebeat/module/cef/log/ingest/cp-pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -337,3 +337,64 @@ processors:
field: event.category
value: intrusion_detection
if: 'ctx.event?.category != "malware" && (ctx.checkpoint?.protection_type != null || ctx.cef.extensions?.flexString2Label == "Attack Information")'

# Handle zone-based network directionality
- set:
field: network.direction
value: inbound
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
- set:
field: network.direction
value: outbound
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
- set:
field: network.direction
value: internal
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
- set:
field: network.direction
value: external
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
- set:
field: network.direction
value: unknown
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
(
(
!ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
!ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
) ||
(
!ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
!ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
)
)
4 changes: 4 additions & 0 deletions x-pack/filebeat/module/cef/log/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ processors:
- pipeline:
name: '{< IngestPipeline "cp-pipeline" >}'
if: "ctx.cef?.device?.vendor == 'Check Point'"
- remove:
field:
- _temp_
ignore_missing: true
on_failure:
- set:
field: error.message
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/cef/log/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ var:
default: 9003
- name: input
default: syslog
- name: internal_zones
- name: external_zones

ingest_pipeline:
- ingest/pipeline.yml
Expand Down
8 changes: 8 additions & 0 deletions x-pack/filebeat/module/checkpoint/_meta/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,11 @@

# The UDP port to listen for syslog traffic. Defaults to 9001.
#var.syslog_port: 9001

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]
13 changes: 13 additions & 0 deletions x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,16 @@ processors:
target: ''
fields:
ecs.version: 1.7.0
{{ if .external_zones }}
- add_fields:
target: _temp_
fields:
external_zones: {{ .external_zones | tojson }}
{{ end }}

{{ if .internal_zones }}
- add_fields:
target: _temp_
fields:
internal_zones: {{ .internal_zones | tojson }}
{{ end }}
60 changes: 60 additions & 0 deletions x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -781,6 +781,65 @@ processors:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true
# Handle zone-based network directionality
- set:
field: network.direction
value: inbound
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
- set:
field: network.direction
value: outbound
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
- set:
field: network.direction
value: internal
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
- set:
field: network.direction
value: external
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
- set:
field: network.direction
value: unknown
if: >
ctx?._temp_?.external_zones != null &&
ctx?._temp_?.internal_zones != null &&
ctx?.observer?.ingress?.zone != null &&
ctx?.observer?.egress?.zone != null &&
(
(
!ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
!ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
) ||
(
!ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
!ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
)
)
- remove:
field:
- checkpoint.client_outbound_packets
Expand All @@ -801,6 +860,7 @@ processors:
- checkpoint.uid
- checkpoint.time
- syslog5424_ts
- _temp_
ignore_missing: true
on_failure:
- set:
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/checkpoint/firewall/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ var:
- name: input
default: syslog
- name: ssl
- name: internal_zones
- name: external_zones

ingest_pipeline:
- ingest/pipeline.yml
Expand Down
8 changes: 8 additions & 0 deletions x-pack/filebeat/modules.d/cef.yml.disabled
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,11 @@
var:
syslog_host: localhost
syslog_port: 9003

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]
8 changes: 8 additions & 0 deletions x-pack/filebeat/modules.d/checkpoint.yml.disabled
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,11 @@

# The UDP port to listen for syslog traffic. Defaults to 9001.
#var.syslog_port: 9001

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

0 comments on commit f52e452

Please sign in to comment.