[Check Point] Process the packets field in SecureXL format #16235
Conversation
ilyannn
added
enhancement
ilyannn
changed the title
ilyannn
changed the title
ilyannn
changed the title
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
cc @ilyannn |
P1llus
left a comment
P1llus
left a comment
There was a problem hiding this comment.
Do we have any sample data (anonymized) we can add to the pipeline test?
| field: checkpoint.subs_exp | ||
| ignore_missing: true | ||
| - script: | ||
| tag: script_parse_checkpoint_packets_dropped |
There was a problem hiding this comment.
It would be preferred if we could use a common processor to parse this out, as script regex is quite heavy, was this the only way? looking at the data I guess it does seem like that, but its quite troublesome for performance reasons
| description: | | ||
| Amount of packets dropped. | ||
| - name: packets_dropped | ||
| type: nested |
There was a problem hiding this comment.
Just leaving it as a note rather than something that needs to be resolved, nested types are something we do try to avoid as much as possible, but at this point I am unsure about any other better alternative
| - script: | ||
| tag: script_parse_checkpoint_packets_dropped | ||
| description: Parse packets field containing connection tuples into structured packets_dropped array. | ||
| if: ctx.checkpoint?.packets instanceof String && ctx.checkpoint.packets.contains('<') |
There was a problem hiding this comment.
I am a bit unsure but it could be startsWith is better performance wise, though if the only times this is a string is when it is the SecureXL format it might be okay.
If we had sample data we could see if there was an already parsed field that showcases that it's SecureXL type data so we wouldn't need to use either
andrewkroh
added
the
documentation
4 participants
Proposed commit message
The specification at https://support.checkpoint.com/results/sk/sk144192 describes the
packetsfield in the Security Gateway - SecureXL Fields section as the tuple ofThe current pipeline, however, parses the
packetsfield as an integer, handling only the format described in the Security Gateway - Firewall Fields section. When this field comes as defined in the SecureXL section – a string describing the dropped packets – the current pipeline fails.In practice the tuple can also contain an additional member denoting the network interface.
This PR adds the parsing to the pipeline. The result is an array of json objects, each structured according to the ECS, that is:
We handle both the case when the interface name is present (as in practice) and when it's not (as per specification). The added group is defined as
nestedto preserve the relationships within each tuple.The parsing is implemented as a Painless script; alternative approaches were tried, but were not ultimately successful.
Screenshot
From the specification:
Checklist
changelog.ymlfile.[ ] I have verified that any added dashboard complies with Kibana's Dashboard good practicesAuthor's Checklist
How to test this PR locally
GenAI Note
Cursor with the Claude Opus 4.5 model was used in creating this PR's contents, especially the Painless script.