diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log index ea2f878990f..f1ecf27bbc0 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log @@ -16,3 +16,4 @@ <134>1 2023-03-02T00:35:43Z gw-0b8ccd CheckPoint 15871 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x63ffef61,0x0,0x28b2a8c0,0x1f0e3dff}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677717343"; version:"5"; administrator:"System"; client_ip:"192.168.178.40"; domain_name:"SMC User"; fieldschanges:"IPS version was updated from 635158746 to 635231428"; operation:"IPS Update"; product:"cpmidu_update_tool"; sendtotrackerasadvancedauditlog:"0"; session_description:"IPS"; session_name:"IPS"; session_uid:"965d39eb-e2f5-46dc-bcc2-8684a53cac65"; subject:"IPS Update"] <134>1 2023-03-02T03:28:09Z gw-0b8ccd CheckPoint 15871 - [action:"Block"; flags:"311552"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x291ee176,0x3488469e,0xdb759c74,0xc0134e9a}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677727689"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1677720751;policy_name=Standard\]"; confidence_level:"5"; dlp_incident_uid:"{640017C9-0000-0001-27C5-C5E7C1878B89}"; dst:"81.2.69.144"; frequency:"1 days "; http_host:"sc1.checkpoint.com"; lastupdatetime:"1677727691"; log_id:"4294967295"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; method:"GET"; packet_capture_name:"src-10.0.0.3.cap"; packet_capture_time:"1677727690"; packet_capture_unique_id:"time1677727689.id640acbe0.blade04"; policy:"Standard"; policy_time:"1677720775"; portal_message:"Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 498D79F3"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"10.0.0.3"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"34416"; scope:"10.0.0.3"; service:"80"; service_id:"http"; session_id:"{0x640017c9,0x1,0x27c5c5e7,0xc1878b89}"; severity:"2"; smartdefense_profile:"Optimized"; src:"10.0.0.3"; layer_name:"Standard Threat Prevention"; layer_uuid:"{6CC286F4-87BC-412A-B231-8C63C30D978E}"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"; usercheck:"1"; usercheck_confirmation_level:"Application"; usercheck_incident_uid:"C9B778BF-CA91-A050-2673-53F9498D79F3"; usercheck_interaction_name:"Anti-Bot Blocked"; web_client_type:"Firefox"] <134>1 2023-03-02T03:28:09Z gw-0b8ccd CheckPoint 15871 - [action:"Block"; flags:"311552"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x291ee176,0x3488469e,0xdb759c74,0xc0134e9a}"; origin:"192.168.178.40"; originsicname:"cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"; sequencenum:"1"; time:"1677727689"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1677720751;policy_name=Standard\]"; confidence_level:"5"; dlp_incident_uid:"{640017C9-0000-0001-27C5-C5E7C1878B89}"; dst:"81.2.69.144"; frequency:"1 days "; http_host:"sc1.checkpoint.com"; lastupdatetime:"1677727750"; log_id:"2"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; method:"GET"; packet_capture_name:"src-10.0.0.3.cap"; packet_capture_time:"1677727690"; packet_capture_unique_id:"time1677727689.id640acbe0.blade04"; policy:"Standard"; policy_time:"1677720775"; portal_message:"Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 498D79F3"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"10.0.0.3"; received_bytes:"60"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"34416"; scope:"10.0.0.3"; sent_bytes:"0"; service:"80"; service_id:"http"; session_id:"{0x640017c9,0x1,0x27c5c5e7,0xc1878b89}"; severity:"2"; smartdefense_profile:"Optimized"; src:"10.0.0.3"; suppressed_logs:"1"; layer_name:"Standard Threat Prevention"; layer_uuid:"{6CC286F4-87BC-412A-B231-8C63C30D978E}"; malware_rule_id:"{F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"; usercheck:"1"; usercheck_confirmation_level:"Application"; usercheck_incident_uid:"C9B778BF-CA91-A050-2673-53F9498D79F3"; usercheck_interaction_name:"Anti-Bot Blocked"; web_client_type:"Firefox"] +<134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:"Accept"; flags:"16384"; ifdir:"inbound"; ifname:"eth4"; logid:"288"; loguid:"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}"; origin:"1.2.3.4"; originsicname:"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7"; sequencenum:"9"; time:"1734597254"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\]"; aggregated_log_count:"2"; connection_count:"2"; creation_time:"1734595323"; dst:"192.168.0.10"; duration:"1931"; hll_key:"6549446380911603098"; inzone:"Internal"; last_hit_time:"1734597254"; layer_name:"Network"; layer_name:"Admin Traffic"; layer_uuid:"c135090e-7d3a-44bf-b686-1589d3183102"; layer_uuid:"42f39ab2-d932-4b6b-abbf-8b6bd519e15b"; match_id:"34"; match_id:"67108866"; parent_rule:"0"; parent_rule:"34"; rule_action:"Inline"; rule_action:"Accept"; rule_name:"Traffic Outbound"; rule_name:"Traffic outbound"; rule_uid:"31aca655-e044-4f8d-91bf-5de3505f443b"; rule_uid:"ee877954-c304-4159-bda3-e8f78ed4a4fa"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; service:"389"; service_id:"ldap_udp"; src:"192.168.20.10"; update_count:"2"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json index 45da0582a02..e5359bbbf69 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json @@ -1213,6 +1213,96 @@ "name": "Firefox", "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0" } + }, + { + "checkpoint": { + "parent_rule": [ + "0", + "34" + ], + "rule_action": [ + "Inline", + "Accept" + ], + "origin_sic_name": "CN=cp_mgmt,O=gw-0b8ccd..zx8qy7", + "match_id": [ + "34", + "67108866" + ], + "update_count": "2", + "connection_count": "2", + "logid": "288", + "aggregated_log_count": "2" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth4" + }, + "zone": "Internal" + }, + "product": "VPN-1 & FireWall-1", + "vendor": "Checkpoint", + "name": "1.2.3.4", + "type": "firewall", + "egress": { + "zone": "External" + } + }, + "@timestamp": "2024-12-19T08:34:14.000Z", + "ecs": { + "version": "8.11.0" + }, + "related": { + "ip": [ + "192.168.20.10", + "192.168.0.10" + ] + }, + "destination": { + "port": 389, + "ip": "192.168.0.10" + }, + "rule": { + "name": [ + "Traffic Outbound", + "Traffic outbound" + ], + "uuid": [ + "31aca655-e044-4f8d-91bf-5de3505f443b", + "ee877954-c304-4159-bda3-e8f78ed4a4fa" + ] + }, + "source": { + "ip": "192.168.20.10" + }, + "event": { + "start": "2024-12-19T08:02:03.000Z", + "end": "2024-12-19T08:34:14.000Z", + "duration": 1931000000000, + "sequence": 9, + "original": "<134>1 2024-12-19T08:34:14Z gw-0b8ccd CheckPoint 15871 - [action:\"Accept\"; flags:\"16384\"; ifdir:\"inbound\"; ifname:\"eth4\"; logid:\"288\"; loguid:\"{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}\"; origin:\"1.2.3.4\"; originsicname:\"CN=cp_mgmt,O=gw-0b8ccd..zx8qy7\"; sequencenum:\"9\"; time:\"1734597254\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={48483CA8-998B-2D46-BEEF-CE5DA956505D};mgmt=gw-0b8ccd;date=1733928424;policy_name=Standard\\]\"; aggregated_log_count:\"2\"; connection_count:\"2\"; creation_time:\"1734595323\"; dst:\"192.168.0.10\"; duration:\"1931\"; hll_key:\"6549446380911603098\"; inzone:\"Internal\"; last_hit_time:\"1734597254\"; layer_name:\"Network\"; layer_name:\"Admin Traffic\"; layer_uuid:\"c135090e-7d3a-44bf-b686-1589d3183102\"; layer_uuid:\"42f39ab2-d932-4b6b-abbf-8b6bd519e15b\"; match_id:\"34\"; match_id:\"67108866\"; parent_rule:\"0\"; parent_rule:\"34\"; rule_action:\"Inline\"; rule_action:\"Accept\"; rule_name:\"Traffic Outbound\"; rule_name:\"Traffic outbound\"; rule_uid:\"31aca655-e044-4f8d-91bf-5de3505f443b\"; rule_uid:\"ee877954-c304-4159-bda3-e8f78ed4a4fa\"; outzone:\"External\"; product:\"VPN-1 & FireWall-1\"; proto:\"17\"; service:\"389\"; service_id:\"ldap_udp\"; src:\"192.168.20.10\"; update_count:\"2\"]", + "timezone": "UTC", + "kind": "event", + "action": "Accept", + "id": "{0xb2dea3d4,0xbf9adbd4,0xbdc92bc5,0xf8a33399}", + "category": [ + "network" + ] + }, + "network": { + "name": [ + "Network", + "Admin Traffic" + ], + "transport": "udp", + "application": "ldap_udp", + "iana_number": "17", + "direction": "inbound" + }, + "tags": [ + "preserve_original_event" + ] } ] }