[checkpoint] Improve normalization of user.name field (#10896)

* [checkpoint] Improve normalization of user.name field * Updated changelog with PR number * Address code review feedback
elastic · Sep 9, 2024 · 3f9c174 · 3f9c174
1 parent 4ee98d3
commit 3f9c174
Show file tree

Hide file tree

Showing 10 changed files with 92 additions and 23 deletions.
diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.33.1"
+  changes:
+    - description: Improve normalization of user.name field
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10896
 - version: "1.33.0"
   changes:
     - description: "Allow @custom pipeline access to event.original without setting preserve_original_event."

diff --git a/...heckpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-audit.log-expected.json b/...heckpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-audit.log-expected.json
@@ -3,6 +3,7 @@
         {
             "@timestamp": "2024-01-04T04:26:20.000Z",
             "checkpoint": {
+                "administrator": "testUser",
                 "fieldschanges": "Name: was not modified Source: was not modified Destination: Added 'bm_core_switches' VPN: was not modified Action: was not modified Track: was not modified  Layer Name: 'bnkb01-Bermuda_Prod Security' Policy Names: ''",
                 "logic_changes": "Dsts.dsts: Added '54bbefc0-48c4-4525-8120-2f94f9ac7b8e'",
                 "objecttype": "Access Control Rule",
@@ -71,6 +72,7 @@
         {
             "@timestamp": "2024-01-04T05:03:52.000Z",
             "checkpoint": {
+                "administrator": "testUser",
                 "fieldschanges": "Name: name is empty Source: Added 'Alice', 'Bob', 'Cat';  Destination: Added 'Alice.2', 'Alice.3', 'Alice.4', 'Alice.5';  VPN: Any Action: Changed from 'Drop' to 'Accept' Track: Changed from 'None' to 'Log' Comments: 'CHG0887890 TS 040124' Services & Applications: Added 'tcp_5601', 'tcp_3001', 'TCP_1002', 'TCP_5600';  UseLogPerConnection: Changed from 'Disable' to 'Enable'  Layer Name: 'CAMCCCVBNTB009_prod Security' Policy Names: ''",
                 "logic_changes": "ActionSettings.action: Changed from 'rtheyht-8eec-4103-ad21-cd461ac2c473' to 'rtheyht-8eec-4103-ad21-cd461ac2c472' TrackSettings.useLogPerConnection: Changed from 'Disable' to 'Enable'",
                 "objecttype": "Access Control Rule",
@@ -135,6 +137,7 @@
         {
             "@timestamp": "2024-01-04T04:51:17.000Z",
             "checkpoint": {
+                "administrator": "testUser",
                 "fieldschanges": "Name: name is empty Source: Added 'Alice.2', 'Alice.3', 'Alice.4', 'Alice.5';  Destination: Added 'BNTB_10.255.109.83', 'BNTB_10.255.109.76', 'HP_155.61.9.27';  VPN: Any Action: Changed from 'Drop' to 'Accept' Track: Changed from 'None' to 'Log' Comments: 'CHG0887889 TS 040124' Services & Applications: Added 'tcp_3001', 'TCP_1002', 'TCP_5600', 'tcp_5601';  UseLogPerConnection: Changed from 'Disable' to 'Enable'  Layer Name: 'CAMCCCVBNTB005_prod_Clone Security' Policy Names: ''",
                 "logic_changes": "ActionSettings.action: Changed from 'rtheyht-8eec-4103-ad21-cd461ac2c473' to 'rtheyht-8eec-4103-ad21-cd461ac2c472' Applications.applications: Added 'c8dea3f3-9dc5-4015-9a53-28d7ff74269c', '964309ed-bf93-43ab-829c-e0c932e1036d', '8f4a01b6-d247-48e8-828d-da78c3bd705c', '92cd90d2-e1e8-45c8-a27a-7df33bc35cd4'; Removed '97aeb369-9aea-11d5-bd16-0090272ccb30' Comments: 'CHG0887889 TS 040124' Dsts.dsts: Added '0ab016cd-442f-4d70-9dab-49302b909f1a', 'fd0040e8-b195-4d84-a7a5-145c2ed47b48', '9ab91246-8916-470f-0a31-73bc06b9458a'; Removed '97aeb369-9aea-11d5-bd16-0090272ccb30' Srcs.srcs: Added '384f949d-3eb2-49f8-872d-759c6a47dea5', '43f8deeb-4d91-498c-be12-bf856a8e455a', 'b2ff1fb1-280f-499c-bae0-32b31016721d', '28dc7aad-dc42-4696-a263-1994aff44699'; Removed '97aeb369-9aea-11d5-bd16-0090272ccb30' TrackSettings.track: Changed from '29e53e3d-23bf-48fe-b6b1-d59bd88036f9' to '598ead32-aa42-4615-90ed-f51a5928d41d' TrackSettings.useLogPerConnection: Changed from 'Disable' to 'Enable'",
                 "objecttype": "Access Control Rule",
@@ -199,6 +202,7 @@
         {
             "@timestamp": "2024-01-02T14:18:04.000Z",
             "checkpoint": {
+                "administrator": "System",
                 "fieldschanges": "Name: '2c90c96e-2c99-47a4-a3c3-993a14c018f4_765e58b0-ccbb-4947-bb97-44fe0f6d0b29' Profile: 'g_Recommended_Protection' Protection: 'Exponent CMS SQL Injection (CVE-2017-7991)' ProtectionId: '7732550153' StagingMode: 'Enable'",
                 "logic_changes": "Name: '2c90c96e-2c99-47a4-a3c3-993a14c018f4_765e58b0-ccbb-4947-bb97-44fe0f6d0b29' Profile: '2c90c96e-2c99-47a4-a3c3-993a14c018f4' Protection: '765e58b0-ccbb-4947-bb97-44fe0f6d0b29' ProtectionId: '6854867' StagingMode: 'Enable'",
                 "objecttype": "ThreatIpsProtectionOverride",
@@ -266,6 +270,7 @@
         {
             "@timestamp": "2024-01-02T20:57:52.000Z",
             "checkpoint": {
+                "administrator": "test_admin",
                 "machine": "machine.checkpoint.net",
                 "operation": "Log Out",
                 "operation_number": "12",
@@ -326,6 +331,7 @@
             "@timestamp": "2024-01-02T20:57:47.000Z",
             "checkpoint": {
                 "additional_info": "Authentication method: radius",
+                "administrator": "test_admin",
                 "machine": "machine.checkpoint.net",
                 "operation": "Log In",
                 "operation_number": "10",
@@ -385,6 +391,7 @@
         {
             "@timestamp": "2024-01-02T14:18:04.000Z",
             "checkpoint": {
+                "administrator": "System",
                 "fieldschanges": "2 Objects were changed",
                 "operation": "Publish",
                 "origin_sic_name": "cn=cp_mgmt,o=auditTest..aw4c8s",
@@ -441,6 +448,7 @@
         {
             "@timestamp": "2024-01-02T14:18:04.000Z",
             "checkpoint": {
+                "administrator": "System",
                 "fieldschanges": "Name: '2c90c96e-2c99-47a4-a3c3-993a14c018f4_8e063574-e017-3745-96ed-80a573d73488' Profile: 'g_Recommended_Protection' Protection: 'Microsoft Exchange Server Remote Code Execution (CVE-2022-41082)' ProtectionId: '8589640366' StagingMode: 'Enable'",
                 "logic_changes": "Name: '2c90c96e-2c99-47a4-a3c3-993a14c018f4_8e063574-e017-3745-96ed-80a573d73488' Profile: '2c90c96e-2c99-47a4-a3c3-993a14c018f4' Protection: '8e063574-e017-3745-96ed-80a573d73488' ProtectionId: '8589640366' StagingMode: 'Enable'",
                 "objecttype": "ThreatIpsProtectionOverride",
@@ -508,6 +516,7 @@
         {
             "@timestamp": "2024-01-02T14:18:04.000Z",
             "checkpoint": {
+                "administrator": "System",
                 "fieldschanges": "IPS version was updated from 635240010 to 635240034",
                 "operation": "IPS Update",
                 "origin_sic_name": "cn=cp_mgmt,o=auditTest..aw4c8s",
@@ -569,6 +578,7 @@
         {
             "@timestamp": "2024-01-02T00:21:21.000Z",
             "checkpoint": {
+                "administrator": "test_admin",
                 "audit_status": "Success",
                 "machine": "172.16.1.190",
                 "operation": "Run One Time Script",
@@ -631,6 +641,7 @@
         {
             "@timestamp": "2024-01-01T14:18:28.000Z",
             "checkpoint": {
+                "administrator": "System",
                 "objecttype": "ThreatIpsProtectionOverride",
                 "operation": "Delete Object",
                 "origin_sic_name": "cn=cp_mgmt,o=auditTest..aw4c8s",
@@ -696,6 +707,7 @@
         {
             "@timestamp": "2024-01-01T01:01:48.000Z",
             "checkpoint": {
+                "administrator": "Scheduled system update",
                 "fieldschanges": "Application Control & URL Filtering Update version was updated from 141202312141035 to 141202312261218",
                 "operation": "Application Control & URL Filtering Update",
                 "origin_sic_name": "cn=cp_mgmt,o=auditTest..aw4c8s",

diff --git a/.../data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log-expected.json b/.../data_stream/firewall/_dev/test/pipeline/test-checkpoint-authentication.log-expected.json
@@ -4,6 +4,7 @@
             "@timestamp": "2023-12-29T14:20:02.000Z",
             "checkpoint": {
                 "additional_info": "login by localhost",
+                "administrator": "WEB_API",
                 "operation": "Log In",
                 "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local",
                 "sendtotrackerasadvancedauditlog": "0"
@@ -61,6 +62,7 @@
             "@timestamp": "2023-12-29T14:03:03.000Z",
             "checkpoint": {
                 "additional_info": "Authentication method: Active Directory",
+                "administrator": "User (Example)",
                 "machine": "localhost",
                 "operation": "Log In",
                 "operation_number": "10",
@@ -120,6 +122,7 @@
             "@timestamp": "2023-12-29T08:42:55.000Z",
             "checkpoint": {
                 "additional_info": "Authentication method: radius",
+                "administrator": "[email protected]",
                 "machine": "desktop0001.example.local",
                 "operation": "Log In",
                 "operation_number": "10",
@@ -180,6 +183,7 @@
             "@timestamp": "2023-12-15T11:52:02.000Z",
             "checkpoint": {
                 "additional_info": "Authentication method: radius",
+                "administrator": "[email protected]",
                 "machine": "relay599.rdnssender.com",
                 "operation": "Log In",
                 "operation_number": "10",
@@ -240,6 +244,7 @@
             "@timestamp": "2023-12-27T09:39:55.000Z",
             "checkpoint": {
                 "additional_info": "Administrator failed to log in: Wrong Password",
+                "administrator": "[email protected]",
                 "audit_status": "Failure",
                 "machine": "relay599.rdnssender.com",
                 "operation": "Log In",
@@ -353,6 +358,7 @@
             "@timestamp": "2023-12-21T10:41:20.000Z",
             "checkpoint": {
                 "additional_info": "Administrator failed to log in: Wrong Password",
+                "administrator": "[email protected]",
                 "audit_status": "Failure",
                 "machine": "cp_console.example.local",
                 "operation": "Log In",
@@ -415,6 +421,7 @@
             "@timestamp": "2023-12-22T08:38:43.000Z",
             "checkpoint": {
                 "additional_info": "SSH connection by admin_org user to Expert Shell",
+                "administrator": "admin_org",
                 "alert": "Expert_Alert",
                 "device_name": "CPFW-0001",
                 "device_type": "GW",
@@ -478,6 +485,7 @@
             "@timestamp": "2023-12-01T08:49:00.000Z",
             "checkpoint": {
                 "additional_info": "SSH connection by [email protected] user to Expert Shell",
+                "administrator": "[email protected]",
                 "alert": "Expert_Alert",
                 "device_name": "CPFW-0001",
                 "device_type": "GW",
@@ -541,6 +549,7 @@
             "@timestamp": "2023-12-29T14:20:02.000Z",
             "checkpoint": {
                 "additional_info": "logout localhost",
+                "administrator": "WEB_API",
                 "operation": "Log Out",
                 "origin_sic_name": "cn=cp_mgmt,o=CP-Manager.example.local",
                 "sendtotrackerasadvancedauditlog": "0",
@@ -600,6 +609,7 @@
         {
             "@timestamp": "2023-12-29T13:42:04.000Z",
             "checkpoint": {
+                "administrator": "User (Example)",
                 "machine": "localhost",
                 "operation": "Log Out",
                 "operation_number": "12",
@@ -658,6 +668,7 @@
         {
             "@timestamp": "2023-12-29T13:23:54.000Z",
             "checkpoint": {
+                "administrator": "[email protected]",
                 "machine": "desktop0001.example.local",
                 "operation": "Log Out",
                 "operation_number": "12",

diff --git a/...point/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/...point/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json
@@ -162,6 +162,7 @@
                 "rule_action": "Accept",
                 "scheme": "IKE",
                 "session_uid": "{6389E8E3-0000-0000-AC10-0209F7730000}",
+                "src_user_name": "srcuser",
                 "user": "srcuser",
                 "vpn_feature_name": "VPN"
             },
@@ -251,6 +252,7 @@
                 "rule_action": "Accept",
                 "scheme": "IKE",
                 "session_uid": "{6389E8E3-0000-0000-AC10-0209F7730000}",
+                "src_user_name": "srcuser",
                 "user": "srcuser",
                 "vpn_feature_name": "VPN"
             },

diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json
@@ -53,6 +53,7 @@
                 "origin_sic_name": "CN=xx-dc-gw-1_gw-vp-ext-5,O=7checkpoint-mng..tstst7",
                 "roles": "Remote_Access_AR",
                 "snid": "ccaaffdd",
+                "src_user_name": "usrTest (usrTest)",
                 "user": "usrTest (usrTest)"
             },
             "dns": {

diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json
@@ -139,13 +139,16 @@
         {
             "@timestamp": "2023-01-13T12:10:16.000-05:00",
             "checkpoint": {
+                "dst_user_dn": "blake",
+                "dst_user_name": "dave",
                 "match_id": "762",
                 "nat_addtnl_rulenum": "0",
                 "nat_rulenum": "1195",
                 "row_start": "0",
                 "snid": "4748F525-85B7-448A-82DF-D4E4E8D55172",
                 "sport_svc": "56530",
                 "src_user_dn": "blake",
+                "src_user_name": "bob",
                 "svc": "443",
                 "user": "alice",
                 "xlatedport_svc": "34536",
@@ -197,6 +200,7 @@
                     "81.2.69.142"
                 ],
                 "user": [
+                    "alice",
                     "bob",
                     "dave"
                 ]
@@ -224,20 +228,21 @@
                     "ip": "81.2.69.144"
                 },
                 "user": {
-                    "name": "bob"
+                    "name": "alice"
                 }
             },
             "tags": [
                 "preserve_original_event"
             ],
             "user": {
-                "name": "bob"
+                "name": "alice"
             }
         },
         {
             "@timestamp": "2023-03-01T05:02:37.000Z",
             "checkpoint": {
                 "additional_info": "logout localhost",
+                "administrator": "WEB_API",
                 "logid": "0",
                 "match_id": "1",
                 "operation": "Log Out",
@@ -399,6 +404,7 @@
             "@timestamp": "2023-03-01T02:15:54.000Z",
             "checkpoint": {
                 "additional_info": "login by localhost",
+                "administrator": "WEB_API",
                 "operation": "Log In",
                 "sendtotrackerasadvancedauditlog": "0"
             },
@@ -455,6 +461,7 @@
             "@timestamp": "2023-03-01T02:16:17.000Z",
             "checkpoint": {
                 "additional_info": "logout localhost",
+                "administrator": "WEB_API",
                 "operation": "Log Out",
                 "sendtotrackerasadvancedauditlog": "0",
                 "session_uid": "02e77b40-e0d5-400c-bea0-5a7bd8fc9648"
@@ -513,6 +520,7 @@
         {
             "@timestamp": "2023-03-01T02:16:55.000Z",
             "checkpoint": {
+                "administrator": "admin",
                 "fieldschanges": "NTP version of server ntp.checkpoint.com is set to 4",
                 "machine": "gw-0b8ccd",
                 "operation": "Set Object"
@@ -563,6 +571,7 @@
         {
             "@timestamp": "2023-03-01T02:52:15.000Z",
             "checkpoint": {
+                "administrator": "admin",
                 "fieldschanges": "Dynamic Content: '{\\\"metaInfo\\\":{\\\"extendedObjectType\\\":[\\\"com.checkpoint.objects.log_exporter.LogExporter\\\"\\],\\\"templateName\\\":\\\"defaultTemplate\\\",\\\"isDefaultTemplate\\\":true},\\\"data\\\":{\\\"mdc_content\\\":{\\\"metaInfo\\\":{\\\"version\\\":\\\"1.0.0\\\"},\\\"data\\\":{\\\"export_link_ip\\\":null,\\\"export_attachment_ids\\\":false,\\\"format\\\":\\\"syslog\\\",\\\"export_log_link\\\":false,\\\"is_enabled\\\":true,\\\"target_port\\\":1235,\\\"protocol\\\":\\\"tcp\\\",\\\"read_mode\\\":\\\"semi-unified\\\",\\\"time_in_milli\\\":false,\\\"export_attachment_link\\\":false,\\\"target_server\\\":\\\"192.168.178.56\\\"}}}}' Name: 'Syslog'",
                 "logic_changes": "DynamicContent: '3489bcfe-cf3f-4398-9b2a-f7195d4f5e2a' Name: 'Syslog'",
                 "objecttype": "Log Exporter/SIEM",
@@ -625,6 +634,7 @@
             "@timestamp": "2023-03-01T05:15:58.000Z",
             "checkpoint": {
                 "additional_info": "logout localhost",
+                "administrator": "WEB_API",
                 "client_ipe": "Local"
             },
             "destination": {
@@ -717,6 +727,7 @@
             "@timestamp": "2023-03-01T07:21:08.000Z",
             "checkpoint": {
                 "additional_info": "Access Control Policy: Standard",
+                "administrator": "admin",
                 "audit_status": "Success",
                 "install_policy_acceleration": "Policy installation was accelerated",
                 "operation": "Install Policy",
@@ -810,6 +821,7 @@
         {
             "@timestamp": "2023-03-01T08:38:00.000Z",
             "checkpoint": {
+                "administrator": "admin",
                 "fieldschanges": "Name: 'no builder' Source: Removed 'None'; Changed to 'Any' Destination: Removed 'None'; Added 'builder' VPN: Any Action: Drop Track: Changed from 'None' to 'Log' Confirm UserCheck: 'Per rule' Services & Applications: Removed 'None'; Changed to 'Any' UserCheck Frequency: 'Once a day' UseLogPerConnection: Changed from 'Disable' to 'Enable'  Layer Name: 'Network' Policy Names: 'Standard'",
                 "logic_changes": "ActionSettings.userCheckSettings.frequency: 'once_a_day' ActionSettings.userCheckSettings.matchCriteria: 'per_rule' Applications.applications: Removed '97aeb36a-9aea-11d5-bd16-0090272ccb30'; Added '97aeb369-9aea-11d5-bd16-0090272ccb30' Dsts.dsts: Removed '97aeb36a-9aea-11d5-bd16-0090272ccb30'; Added '090b793a-ed21-4fd9-bf9e-346e4aa28bad' Name: 'no builder' Srcs.srcs: Removed '97aeb36a-9aea-11d5-bd16-0090272ccb30'; Added '97aeb369-9aea-11d5-bd16-0090272ccb30' TrackSettings.track: Changed from '29e53e3d-23bf-48fe-b6b1-d59bd88036f9' to '598ead32-aa42-4615-90ed-f51a5928d41d' TrackSettings.useLogPerConnection: Changed from 'Disable' to 'Enable'",
                 "objecttype": "Access Control Rule",
@@ -906,6 +918,7 @@
         {
             "@timestamp": "2023-03-02T00:35:43.000Z",
             "checkpoint": {
+                "administrator": "System",
                 "fieldschanges": "IPS version was updated from 635158746 to 635231428",
                 "operation": "IPS Update",
                 "origin_sic_name": "cn=cp_mgmt,o=gw-0b8ccd..zx8qy7",