Skip to content

Commit

Permalink
[SIEM][CEF] Add support for Check Point devices (elastic#16907)
Browse files Browse the repository at this point in the history
* Make CEF key name mapping case-insensitive

There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to
ignore case when mapping keys to full names.

* Add missing custom CEF extensions

This adds:
 - `deviceCustomIPv6Address2(Label)`: Only 1, 3 and 4 were expected.
 - `flexNumber[12](Label)`: These two alternative custom numbers were
   dropped after V23 of the spec, but still used by some vendors.

[Maybe unnecessary] changes:

 - Changed the case of `DeviceCustomNumber2` from uppercase as
   documented) to lowercase to align with the other fields.

* CEF module: Support Check Point devices

This adds a new ingest pipeline and fields to populate from Check Point
CEF logs.

Closes elastic#16041
  • Loading branch information
adriansr authored Mar 18, 2020
1 parent 21be671 commit f6fde2e
Show file tree
Hide file tree
Showing 17 changed files with 1,643 additions and 34 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049]
- Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637]
- Add Filebeat Okta module. {pull}16362[16362]
- Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}NNNN[NNNN]
- Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907]

*Heartbeat*

Expand Down
Loading

0 comments on commit f6fde2e

Please sign in to comment.