[Filebeat] sync checkpoint module with Fleet integration (elastic#31076)

* Sync Check Point module with Fleet integration The Filebeat module was missing definitions for these four fields. - checkpoint.comment - checkpoint.conn_direction - checkpoint.db_ver - checkpoint.update_status The Filebeat pipeline is setting client and server based on the source and destination. That behavior was kept. Otherwise the pipelines are the same. This commit was used: elastic/integrations@2aee5ee * Add overwrite: true for checkpoint.update_status The same field is defined in the CEF module which also supports Check Point data.
kush-elastic · May 2, 2022 · 389a309 · 389a309
1 parent 9998ccc
commit 389a309
Show file tree

Hide file tree

Showing 9 changed files with 950 additions and 10,814 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -114,6 +114,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 - threatintel module: Add new Recorded Future integration. {pull}30030[30030]
 - Improve recovery from corrupted registries. {issue}25135[25135] {pull}30994[30994]
 - Add support in httpjson input for chain calls. {pull}29816[29816]
+- checkpoint module: Add `network.transport` derived from IANA number. {pull}31076[31076]
 
 *Auditbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -20689,6 +20689,40 @@ type: keyword
 In case of phishing event, the domain, which the attacker was impersonating.
 
 
+type: keyword
+
+--
+
+*`checkpoint.comment`*::
++
+--
+type: keyword
+
+--
+
+*`checkpoint.conn_direction`*::
++
+--
+Connection direction
+
+type: keyword
+
+--
+
+*`checkpoint.db_ver`*::
++
+--
+Database version
+
+type: keyword
+
+--
+
+*`checkpoint.update_status`*::
++
+--
+Status of database update
+
 type: keyword
 
 --

diff --git a/x-pack/filebeat/module/checkpoint/fields.go b/x-pack/filebeat/module/checkpoint/fields.go
diff --git a/x-pack/filebeat/module/checkpoint/firewall/_meta/fields.yml b/x-pack/filebeat/module/checkpoint/firewall/_meta/fields.yml
@@ -2421,3 +2421,19 @@
       overwrite: true
       description: >
         In case of phishing event, the domain, which the attacker was impersonating.
+
+    - name: comment
+      type: keyword
+
+    - name: conn_direction
+      type: keyword
+      description: Connection direction
+
+    - name: db_ver
+      type: keyword
+      description: Database version
+
+    - name: update_status
+      type: keyword
+      overwrite: true
+      description: Status of database update
diff --git a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml
@@ -25,10 +25,6 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
 
 processors:
   - add_locale: ~
-  - add_fields:
-      target: ''
-      fields:
-        ecs.version: 1.12.0
 {{ if .external_zones }}
   - add_fields:
       target: _temp_