Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checkpoint | Map IANA Protocol Numbers #2463

Closed
jamiehynds opened this issue Jan 4, 2022 · 1 comment · Fixed by #2470
Closed

Checkpoint | Map IANA Protocol Numbers #2463

jamiehynds opened this issue Jan 4, 2022 · 1 comment · Fixed by #2470
Labels
enhancement New feature or request good first issue Good for newcomers Integration:checkpoint Check Point

Comments

@jamiehynds
Copy link

jamiehynds commented Jan 4, 2022
edited
Loading

Our Checkpoint ingest pipeline does not currently map IANA Protocol Numbers, which can be very helpful when building detection rules. Similar to our Firewall Input Consistency effort, IANA Protocol mappings should be included across our firewall integrations. A full list of protocols is available here.

A user shared this modification to the Checkpoint pipeline, which populates the ctx.network.transport field (and based on our Fortinet pipelines). Can we add this script to our Checkpoint pipeline to ensure we perform mappings for widely used protocols?

- script:
    lang: painless
    ignore_failure: true
    if: ctx?.network?.iana_number != null
    source: |
      if (ctx?.network == null) {
          ctx.network = new HashMap();
      }
      def iana_number = ctx.network.iana_number;
      if (iana_number == '1') {
        ctx.network.transport = 'icmp';
      } else if (iana_number == '2') {
        ctx.network.transport = 'igmp';
      } else if (iana_number == '6') {
        ctx.network.transport = 'tcp';
      } else if (iana_number == '17') {
        ctx.network.transport = 'udp';
      } else if (iana_number == '58') {
        ctx.network.transport = 'ipv6-icmp';
      }

Here's a helpful breakdown of protocols found in a users logs (provided by user):

network.iana_number Count of records
6 7790382919
17 1376747683
1 624467023
112 2190677
47 117981
50 1545
132 724
0 660
2 108
8 89
63 88
41 59
124 2
127 2
251 1
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds added enhancement New feature or request Integration:checkpoint Check Point labels Jan 4, 2022
@andrewkroh andrewkroh added the good first issue Good for newcomers label Jan 5, 2022
@legoguy1000 legoguy1000 mentioned this issue Jan 5, 2022
Merged
4 tasks
@andrewkroh andrewkroh mentioned this issue Mar 31, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers Integration:checkpoint Check Point
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Ingest Pipeline script to map IANA Protocol Numbers legoguy1000/integrations
3 participants
@andrewkroh @elasticmachine @jamiehynds