diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 97ebee74aa3..e74d9171162 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.45.0" + changes: + - description: Process the packets field in SecureXL format. + type: enhancement + link: https://github.com/elastic/integrations/pull/16235 - version: "1.44.0" changes: - description: Update KV split logic to take email headers into account. diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-packet-drop.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-packet-drop.log new file mode 100644 index 00000000000..e37aed76a71 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-packet-drop.log @@ -0,0 +1,2 @@ +<134>1 2025-01-21T09:36:10Z TEST_HOSTNAME CheckPoint 16953 - [action:"Drop"; flags:"409600"; ifdir:"inbound"; logid:"0"; loguid:"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1737452170"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; drop_reason:"matched optimized drop"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; packet_amount:"5"; packets:" <81.2.69.142,59912,81.2.69.144,1990,6;eth0> <81.2.69.142,40252,81.2.69.144,999,6;eth0> <81.2.69.142,60636,89.160.20.128,999,6;eth0> <81.2.69.142,43010,89.160.20.128,1898,6;eth0> <81.2.69.142,59440,81.2.69.144,1898,6;eth0>"] +<134>1 2025-01-21T09:37:10Z TEST_HOSTNAME CheckPoint 16953 - [action:"Drop"; flags:"409600"; ifdir:"inbound"; logid:"0"; loguid:"{0x5e818e17,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; time:"1737452230"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; drop_reason:"matched optimized drop"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; packet_amount:"3"; packets:" <81.2.69.142,45000,81.2.69.144,443,6> <81.2.69.142,45001,89.160.20.128,80,17> <81.2.69.142,45002,81.2.69.144,8080,6>"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-packet-drop.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-packet-drop.log-expected.json new file mode 100644 index 00000000000..b2525916bd7 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-packet-drop.log-expected.json @@ -0,0 +1,221 @@ +{ + "expected": [ + { + "@timestamp": "2025-01-21T09:36:10.000Z", + "checkpoint": { + "drop_reason": "matched optimized drop", + "logid": "0", + "match_id": "1", + "origin_sic_name": "cn=cp_mgmt,o=gw-da58d3..tmn8s8", + "packet_amount": "5", + "packets_dropped": [ + { + "destination": { + "ip": "81.2.69.144", + "port": 1990 + }, + "interface": { + "name": "eth0" + }, + "network": { + "iana_number": "6" + }, + "source": { + "ip": "81.2.69.142", + "port": 59912 + } + }, + { + "destination": { + "ip": "81.2.69.144", + "port": 999 + }, + "interface": { + "name": "eth0" + }, + "network": { + "iana_number": "6" + }, + "source": { + "ip": "81.2.69.142", + "port": 40252 + } + }, + { + "destination": { + "ip": "89.160.20.128", + "port": 999 + }, + "interface": { + "name": "eth0" + }, + "network": { + "iana_number": "6" + }, + "source": { + "ip": "81.2.69.142", + "port": 60636 + } + }, + { + "destination": { + "ip": "89.160.20.128", + "port": 1898 + }, + "interface": { + "name": "eth0" + }, + "network": { + "iana_number": "6" + }, + "source": { + "ip": "81.2.69.142", + "port": 43010 + } + }, + { + "destination": { + "ip": "81.2.69.144", + "port": 1898 + }, + "interface": { + "name": "eth0" + }, + "network": { + "iana_number": "6" + }, + "source": { + "ip": "81.2.69.142", + "port": 59440 + } + } + ], + "parent_rule": "0", + "rule_action": "Drop" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "Drop", + "category": [ + "network" + ], + "id": "{0x5e818e17,0x0,0x6401a8c0,0x108620ab}", + "kind": "event", + "original": "<134>1 2025-01-21T09:36:10Z TEST_HOSTNAME CheckPoint 16953 - [action:\"Drop\"; flags:\"409600\"; ifdir:\"inbound\"; logid:\"0\"; loguid:\"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1737452170\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; drop_reason:\"matched optimized drop\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Drop\"; rule_name:\"Cleanup rule\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; packet_amount:\"5\"; packets:\" <81.2.69.142,59912,81.2.69.144,1990,6;eth0> <81.2.69.142,40252,81.2.69.144,999,6;eth0> <81.2.69.142,60636,89.160.20.128,999,6;eth0> <81.2.69.142,43010,89.160.20.128,1898,6;eth0> <81.2.69.142,59440,81.2.69.144,1898,6;eth0>\"]", + "outcome": "success", + "sequence": 1, + "timezone": "UTC", + "type": [ + "connection", + "denied" + ] + }, + "network": { + "direction": "inbound", + "name": "Network" + }, + "observer": { + "name": "192.168.1.100", + "type": "firewall", + "vendor": "Checkpoint" + }, + "rule": { + "name": "Cleanup rule", + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2025-01-21T09:37:10.000Z", + "checkpoint": { + "drop_reason": "matched optimized drop", + "logid": "0", + "match_id": "1", + "origin_sic_name": "cn=cp_mgmt,o=gw-da58d3..tmn8s8", + "packet_amount": "3", + "packets_dropped": [ + { + "destination": { + "ip": "81.2.69.144", + "port": 443 + }, + "network": { + "iana_number": "6" + }, + "source": { + "ip": "81.2.69.142", + "port": 45000 + } + }, + { + "destination": { + "ip": "89.160.20.128", + "port": 80 + }, + "network": { + "iana_number": "17" + }, + "source": { + "ip": "81.2.69.142", + "port": 45001 + } + }, + { + "destination": { + "ip": "81.2.69.144", + "port": 8080 + }, + "network": { + "iana_number": "6" + }, + "source": { + "ip": "81.2.69.142", + "port": 45002 + } + } + ], + "parent_rule": "0", + "rule_action": "Drop" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "Drop", + "category": [ + "network" + ], + "id": "{0x5e818e17,0x1,0x6401a8c0,0x108620ab}", + "kind": "event", + "original": "<134>1 2025-01-21T09:37:10Z TEST_HOSTNAME CheckPoint 16953 - [action:\"Drop\"; flags:\"409600\"; ifdir:\"inbound\"; logid:\"0\"; loguid:\"{0x5e818e17,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; time:\"1737452230\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; drop_reason:\"matched optimized drop\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Drop\"; rule_name:\"Cleanup rule\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; packet_amount:\"3\"; packets:\" <81.2.69.142,45000,81.2.69.144,443,6> <81.2.69.142,45001,89.160.20.128,80,17> <81.2.69.142,45002,81.2.69.144,8080,6>\"]", + "outcome": "success", + "sequence": 2, + "timezone": "UTC", + "type": [ + "connection", + "denied" + ] + }, + "network": { + "direction": "inbound", + "name": "Network" + }, + "observer": { + "name": "192.168.1.100", + "type": "firewall", + "vendor": "Checkpoint" + }, + "rule": { + "name": "Cleanup rule", + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 557151f2367..c1419e6fe53 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -1018,6 +1018,39 @@ processors: tag: remove_checkpoint_subs_exp_19a22c63 field: checkpoint.subs_exp ignore_missing: true + - script: + tag: script_parse_checkpoint_packets_dropped + description: Parse packets field containing connection tuples into structured packets_dropped array. + if: ctx.checkpoint?.packets instanceof String && ctx.checkpoint.packets.trim().startsWith('<') + lang: painless + source: | + String packetsStr = ctx.checkpoint.packets.trim(); + def parsed = []; + String[] entries = packetsStr.splitOnToken('>'); + for (int i = 0; i < entries.length; i++) { + String entry = entries[i].trim(); + if (entry.length() == 0) continue; + if (entry.startsWith('<')) { + entry = entry.substring(1); + } + def packet = new HashMap(); + String[] parts = entry.splitOnToken(';'); + String tuple = parts[0]; + if (parts.length > 1) { + packet.put('interface', ['name': parts[1]]); + } + String[] fields = tuple.splitOnToken(','); + if (fields.length >= 5) { + packet.put('source', ['ip': fields[0], 'port': Long.parseLong(fields[1])]); + packet.put('destination', ['ip': fields[2], 'port': Long.parseLong(fields[3])]); + packet.put('network', ['iana_number': fields[4]]); + parsed.add(packet); + } + } + if (parsed.size() > 0) { + ctx.checkpoint.packets_dropped = parsed; + ctx.checkpoint.remove('packets'); + } - convert: tag: convert_checkpoint_packets_3af974e8 field: checkpoint.packets diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index af771357404..0b6c9cdb660 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -1187,6 +1187,47 @@ type: integer description: | Amount of packets dropped. + - name: packets_dropped + type: nested + description: | + Connection tuples for dropped packets containing source/destination IP, port, protocol, and interface. + fields: + - name: source + type: group + fields: + - name: ip + type: ip + description: | + Source IP address of the dropped packet. + - name: port + type: long + description: | + Source port of the dropped packet. + - name: destination + type: group + fields: + - name: ip + type: ip + description: | + Destination IP address of the dropped packet. + - name: port + type: long + description: | + Destination port of the dropped packet. + - name: network + type: group + fields: + - name: iana_number + type: keyword + description: | + IANA protocol number of the dropped packet. + - name: interface + type: group + fields: + - name: name + type: keyword + description: | + Interface name where the packet was dropped. - name: packet_capture_unique_id type: keyword description: | diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 621611c1f29..1ce85c56e33 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -488,6 +488,12 @@ The `firewall` data stream provides events from Check Point devices, including f | checkpoint.packet_capture_name | | keyword | | checkpoint.packet_capture_time | | keyword | | checkpoint.packet_capture_unique_id | Identifier of the packet capture files. | keyword | +| checkpoint.packets_dropped.destination.ip | Destination IP address of the dropped packet. | ip | +| checkpoint.packets_dropped.destination.port | Destination port of the dropped packet. | long | +| checkpoint.packets_dropped.interface.name | Interface name where the packet was dropped. | keyword | +| checkpoint.packets_dropped.network.iana_number | IANA protocol number of the dropped packet. | keyword | +| checkpoint.packets_dropped.source.ip | Source IP address of the dropped packet. | ip | +| checkpoint.packets_dropped.source.port | Source port of the dropped packet. | long | | checkpoint.parent_file_hash | Archive's hash in case of extracted files. | keyword | | checkpoint.parent_file_name | Archive's name in case of extracted files. | keyword | | checkpoint.parent_file_uid | Archive's UID in case of extracted files. | keyword | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index f9ec1737dac..fbade61f108 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: "1.44.0" +version: "1.45.0" description: Collect logs from Check Point with Elastic Agent. type: integration format_version: "3.0.3"