Commit f6fde2e
authored
[SIEM][CEF] Add support for Check Point devices (#16907)
* Make CEF key name mapping case-insensitive
There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to
ignore case when mapping keys to full names.
* Add missing custom CEF extensions
This adds:
- `deviceCustomIPv6Address2(Label)`: Only 1, 3 and 4 were expected.
- `flexNumber[12](Label)`: These two alternative custom numbers were
dropped after V23 of the spec, but still used by some vendors.
[Maybe unnecessary] changes:
- Changed the case of `DeviceCustomNumber2` from uppercase as
documented) to lowercase to align with the other fields.
* CEF module: Support Check Point devices
This adds a new ingest pipeline and fields to populate from Check Point
CEF logs.
Closes #160411 parent 21be671 commit f6fde2e
17 files changed
Lines changed: 1643 additions & 34 deletions
File tree
- filebeat/docs
- modules
- x-pack/filebeat
- module/cef
- _meta
- log
- _meta
- ingest
- test
- processors/decode_cef
- _meta
- cef
- testdata
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
186 | 186 | | |
187 | 187 | | |
188 | 188 | | |
| 189 | + | |
| 190 | + | |
189 | 191 | | |
190 | 192 | | |
191 | 193 | | |
| |||
0 commit comments