From 7233193bf7805f7e0cfa89fa093ad11e829c69af Mon Sep 17 00:00:00 2001 From: Ilya Nikokoshev Date: Wed, 3 Dec 2025 19:42:06 +0100 Subject: [PATCH 1/2] [checkpoint] Add the processor for SecureXL fields --- .../elasticsearch/ingest_pipeline/default.yml | 23 +++++++++++ .../data_stream/firewall/fields/fields.yml | 41 +++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 8eabc396b6c..faa07b8227f 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -1018,6 +1018,29 @@ processors: tag: remove_checkpoint_subs_exp_19a22c63 field: checkpoint.subs_exp ignore_missing: true + - script: + tag: script_parse_checkpoint_packets_dropped + description: Parse packets field containing connection tuples into structured packets_dropped array. + if: ctx.checkpoint?.packets instanceof String && ctx.checkpoint.packets.contains('<') + lang: painless + source: | + def packetsStr = ctx.checkpoint.packets.trim(); + def parsed = []; + def matcher = /<([^,]+),(\d+),([^,]+),(\d+),(\d+)(?:;([^>]+))?>/.matcher(packetsStr); + while (matcher.find()) { + def packet = new HashMap(); + packet.put('source', ['ip': matcher.group(1), 'port': Long.parseLong(matcher.group(2))]); + packet.put('destination', ['ip': matcher.group(3), 'port': Long.parseLong(matcher.group(4))]); + packet.put('network', ['iana_number': matcher.group(5)]); + if (matcher.group(6) != null) { + packet.put('interface', ['name': matcher.group(6)]); + } + parsed.add(packet); + } + if (parsed.size() > 0) { + ctx.checkpoint.packets_dropped = parsed; + ctx.checkpoint.remove('packets'); + } - convert: tag: convert_checkpoint_packets_3af974e8 field: checkpoint.packets diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index 3bfd6b6f0e8..a5393acce87 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -1187,6 +1187,47 @@ type: integer description: | Amount of packets dropped. + - name: packets_dropped + type: nested + description: | + Connection tuples for dropped packets containing source/destination IP, port, protocol, and interface. + fields: + - name: source + type: group + fields: + - name: ip + type: ip + description: | + Source IP address of the dropped packet. + - name: port + type: long + description: | + Source port of the dropped packet. + - name: destination + type: group + fields: + - name: ip + type: ip + description: | + Destination IP address of the dropped packet. + - name: port + type: long + description: | + Destination port of the dropped packet. + - name: network + type: group + fields: + - name: iana_number + type: keyword + description: | + IANA protocol number of the dropped packet. + - name: interface + type: group + fields: + - name: name + type: keyword + description: | + Interface name where the packet was dropped. - name: packet_capture_unique_id type: keyword description: | From 0f68a6720189d5bfdfe08ac780db26eff737da6a Mon Sep 17 00:00:00 2001 From: Ilya Nikokoshev Date: Wed, 3 Dec 2025 20:03:55 +0100 Subject: [PATCH 2/2] [checkpoint] Update the metadata --- packages/checkpoint/changelog.yml | 5 +++++ packages/checkpoint/docs/README.md | 6 ++++++ packages/checkpoint/manifest.yml | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 6d2f8da1cea..3134a9a25d7 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.44.0" + changes: + - description: Process the packets field in SecureXL format. + type: enhancement + link: https://github.com/elastic/integrations/pull/16235 - version: "1.43.0" changes: - description: Update documentation. diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 548ac5c4b00..c93bcec530a 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -488,6 +488,12 @@ The `firewall` data stream provides events from Check Point devices, including f | checkpoint.packet_capture_name | | keyword | | checkpoint.packet_capture_time | | keyword | | checkpoint.packet_capture_unique_id | Identifier of the packet capture files. | keyword | +| checkpoint.packets_dropped.destination.ip | Destination IP address of the dropped packet. | ip | +| checkpoint.packets_dropped.destination.port | Destination port of the dropped packet. | long | +| checkpoint.packets_dropped.interface.name | Interface name where the packet was dropped. | keyword | +| checkpoint.packets_dropped.network.iana_number | IANA protocol number of the dropped packet. | keyword | +| checkpoint.packets_dropped.source.ip | Source IP address of the dropped packet. | ip | +| checkpoint.packets_dropped.source.port | Source port of the dropped packet. | long | | checkpoint.parent_file_hash | Archive's hash in case of extracted files. | keyword | | checkpoint.parent_file_name | Archive's name in case of extracted files. | keyword | | checkpoint.parent_file_uid | Archive's UID in case of extracted files. | keyword | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 4608ddb5bb7..f9ec1737dac 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: "1.43.0" +version: "1.44.0" description: Collect logs from Check Point with Elastic Agent. type: integration format_version: "3.0.3"