Cherry-pick #16907 to 7.x: [SIEM][CEF] Add support for Check Point devices #17111
Commits on Mar 19, 2020
-
[SIEM][CEF] Add support for Check Point devices (elastic#16907)
* Make CEF key name mapping case-insensitive There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to ignore case when mapping keys to full names. * Add missing custom CEF extensions This adds: - `deviceCustomIPv6Address2(Label)`: Only 1, 3 and 4 were expected. - `flexNumber[12](Label)`: These two alternative custom numbers were dropped after V23 of the spec, but still used by some vendors. [Maybe unnecessary] changes: - Changed the case of `DeviceCustomNumber2` from uppercase as documented) to lowercase to align with the other fields. * CEF module: Support Check Point devices This adds a new ingest pipeline and fields to populate from Check Point CEF logs. Closes elastic#16041 (cherry picked from commit f6fde2e)
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.