Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/checkpoint session logs #12167

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Fix/checkpoint session logs #12167

wants to merge 7 commits into from

Conversation

srilumpa
Copy link
Contributor

@srilumpa srilumpa commented Dec 19, 2024
edited
Loading

  • Enhancement
  • Breaking change ?

Proposed commit message

This PR aims to handle Check Point firewall session logs in reagrd of the ECS structure.

Session logs are used to aggregate multiple connection logs from the same network activity into a single event. This aggregation adds a few fields:

  • creation_time records the time (as an UNIX timestamp) of the first connection for the current session
  • last_hit_time records the time (as an UNIX timestamp) of the last recorded connection for the current session
  • duration records the duration (in seconds) of the session
  • aggregated_log_count counts the amount of connection logs aggregated in this session log
  • connection_count counts the amount of connection recorded in the session log
  • update_count counts the number of time the session was updated

This PR will:

  • interprets creation_time and last_hit_time as a date and stores them into the ECS fields event.start and event.end respectively
  • convert duration to a nanoseconds duration as per the ECS event.duration specification and stores it into the expected event.duration` field
  • ensure checkpoint.aggregated_log_count, checkpoint.connection_count and checkpoint.update_count are mapped to a numeric type

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

How to test this PR locally

Related issues

@srilumpa srilumpa requested a review from a team as a code owner December 19, 2024 15:09
@andrewkroh andrewkroh added enhancement New feature or request Integration:checkpoint Check Point Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Dec 19, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@srilumpa
checkpoint: elastic#11894 Add warning in changelog message regarding …
fe1fba1 
…possible dynamic mapping changes

- `checkpoint.aggregated_log_count`: keyword (dynamic) to integer
- `checkpoint.connection_count`: keyword (dynamic) to integer
- `checkpoint.update_count`: keyword (dynamic) to integer
@srilumpa
Copy link
Contributor Author

BTW, I mentioned it in the changelog but not in the PR commit message but this change will probably result in a mapping change for the three non-ECS fields (checkpoint.aggregated_log_count, checkpoint.connection_count and checkpoint.update_count) as they were dynamically mapped to a keyword but are now mapped to an integer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request Integration:checkpoint Check Point Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Checkpoint]: Processing and mapping of Checkpoint Firewall session logs
3 participants
@srilumpa @elasticmachine @andrewkroh