diff --git a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log index e659322e65b..e926cdbf7b0 100644 --- a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log +++ b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log @@ -19,3 +19,4 @@ <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"] <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"] <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] +<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\"; d=\"png'150?scan'150,208,217,150\";a=\"13313487\" X-IronPort-AV: E=McAfee;i=\"6800,10657,11573\"; a=\"290145815\" "; email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"] diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 6d2f8da1cea..97ebee74aa3 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.44.0" + changes: + - description: Update KV split logic to take email headers into account. + type: enhancement + link: https://github.com/elastic/integrations/pull/15745 - version: "1.43.0" changes: - description: Update documentation. diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log index bed1d3ec07c..cc4e57c4498 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log @@ -35,3 +35,4 @@ <134>1 2025-02-18T10:01:41Z TEST_HOSTNAME CheckPoint 10038 - [action:"Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xae027eed,0xef89f5a0,0x5b806530,0x8b665bef}"; origin:"192.168.1.102"; originsicname:"CN=TESTWA022B001,O=TESTWM002001..t2z5yx"; sequencenum:"270"; time:"1739872901"; version:"5"; auth_method:"Password"; auth_method2:"DynamicID"; client_build:"986102607"; client_name:"Test Client"; client_version:"E123.123"; cvpn_category:"Session"; device_identification:"{313A7B1F-5FB8-4608-B0F8-05A2311B6FFF}"; domain_name:"EXAMPLE.LOCAL"; event_type:"Login"; failed_login_factor_num:"0"; host_ip:"10.1.1.1"; host_type:"PC"; hostname:"TEST_HOSTNAME"; lastupdatetime:"1739872901"; login_option:"two-way"; login_timestamp:"1739872901"; mac_address:"ab:cd:ef:01:23:45"; more:"authenticated_machine= (CN=TESTHOST1,OU=Test 2.0,OU=Testcomputers,DC=TEST,DC=LOCAL)"; office_mode_ip:"192.168.1.1"; os_bits:"64bit"; os_build:"19045"; os_edition:"Enterprise"; os_name:"Windows"; os_version:"10"; product:"Test Product"; proto:"6"; proxy_src_ip:"0.0.0.0"; s_port:"0"; service:"443"; session_timeout:"43174"; session_uid:"{31A46FFD-A526-4318-BA17-49CBCDC38A14}"; src:"192.168.211.208"; status:"Success"; suppressed_logs:"0"; tunnel_protocol:"IPSec"; user:" Test User "; user_dn:"CN=Test User,OU=Users,DC=test,DC=local"; user_group:"Users"] <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Reject"; flags:"44676"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.0.1"; originsicname:"CN=cp_mgmt,O=gw-da58d3..tmn8s8"; sequencenum:"22"; time:"1746521905"; version:"5"; dst:"0.0.0.0"; encryption_failure::"no response from peer."; fw_subproduct:"VPN-1"; peer_gateway:"192.168.10.1"; proto:"0"; reject_category:"IKE failure"; rule:"0"; s_port:"0"; scheme::"IKE"; service:"0"; src:"0.0.0.0"; vpn_feature_name:"IKE"] <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Detect"; flags:"44676"; ifdir:"inbound"; ifname:"eth0"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.0.1"; originsicname:"CN=cp_mgmt,O=gw-da58d3..tmn8s8"; sequencenum:"22"; time:"1746491278"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1746456871;policy_name=Standard\]"; attack:"Port Scan"; attack_info:"Host Port Scan"; confidence_level:"5"; dst:"192.168.10.1"; performance_impact:"2"; product:"SmartDefense"; protection_id:"HostPortScan"; protection_name:"Host Port Scan"; protection_type:"anomaly"; proto:"4294967295"; s_port:"0"; service:"4294967295"; severity:"1"; smartdefense_profile:"Standard"; source:"Distinct"; src:"192.168.12.1"] +<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\"; d=\"png'150?scan'150,208,217,150\";a=\"13313487\" X-IronPort-AV: E=McAfee;i=\"6800,10657,11573\"; a=\"290145815\" "; email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json index 96aa01ca4d9..95f00fb1456 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -2451,6 +2451,75 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2025-10-06T03:20:44.000Z", + "checkpoint": { + "arrival_time": "1759720844", + "attachments_num": "1", + "delivery_time": "1759720852", + "email_content": "Attachments", + "email_headers": "X-IronPort-AV: E=Sophos;i=\\\"4.20,319,1751234400\\\"; d=\\\"png'150?scan'150,208,217,150\\\";a=\\\"13313487\\\" X-IronPort-AV: E=McAfee;i=\\\"6800,10657,11573\\\"; a=\\\"290145815\\\"", + "email_queue_id": "abcdefghijklm", + "email_queue_name": "N/A", + "links_num": "0", + "logid": "0", + "origin_sic_name": "cn=cp_mgmt,o=gw-da58d3..tmn8s8", + "original_queue_id": "lmnopqrstuvw", + "scan_ended": "1759720844", + "scan_started": "1759720844", + "status_update": "1759720852" + }, + "destination": { + "ip": "192.168.1.100", + "port": 25 + }, + "ecs": { + "version": "8.17.0" + }, + "email": { + "delivery_timestamp": "1759720852", + "local_id": "abcdefghijklm" + }, + "event": { + "action": "Accept", + "category": [ + "network" + ], + "end": "2025-10-06T03:20:52.000Z", + "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", + "kind": "event", + "original": "<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1759720844\"; version:\"5\"; arrival_time:\"1759720844\"; attachments_num:\"1\"; delivery_time:\"1759720852\"; dst:\"192.168.1.100\"; email_content:\"Attachments\"; email_headers:\"X-IronPort-AV: E=Sophos;i=\\\"4.20,319,1751234400\\\"; d=\\\"png'150?scan'150,208,217,150\\\";a=\\\"13313487\\\" X-IronPort-AV: E=McAfee;i=\\\"6800,10657,11573\\\"; a=\\\"290145815\\\" \"; email_queue_id:\"abcdefghijklm\"; email_queue_name:\"N/A\"; lastupdatetime:\"1759720852\"; links_num:\"0\"; original_queue_id:\"lmnopqrstuvw\"; product:\"MTA\"; s_port:\"12345\"; scan_ended:\"1759720844\"; scan_started:\"1759720844\"; service:\"25\"; src:\"192.168.2.100\"; status_update:\"1759720852\"]", + "sequence": 1, + "timezone": "UTC" + }, + "network": { + "direction": "outbound" + }, + "observer": { + "egress": { + "interface": { + "name": "eth0" + } + }, + "name": "192.168.1.100", + "product": "MTA", + "type": "firewall", + "vendor": "Checkpoint" + }, + "related": { + "ip": [ + "192.168.2.100", + "192.168.1.100" + ] + }, + "source": { + "ip": "192.168.2.100", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 8eabc396b6c..557151f2367 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -33,7 +33,7 @@ processors: - kv: tag: "kv_syslog_structured_semicolon_colon" field: syslog5424_sd - field_split: '(?<="); ' + field_split: '(?