Closed
Description
Our Checkpoint ingest pipeline does not currently map IANA Protocol Numbers, which can be very helpful when building detection rules. Similar to our Firewall Input Consistency effort, IANA Protocol mappings should be included across our firewall integrations. A full list of protocols is available here.
A user shared this modification to the Checkpoint pipeline, which populates the ctx.network.transport field (and based on our Fortinet pipelines). Can we add this script to our Checkpoint pipeline to ensure we perform mappings for widely used protocols?
- script:
lang: painless
ignore_failure: true
if: ctx?.network?.iana_number != null
source: |
if (ctx?.network == null) {
ctx.network = new HashMap();
}
def iana_number = ctx.network.iana_number;
if (iana_number == '1') {
ctx.network.transport = 'icmp';
} else if (iana_number == '2') {
ctx.network.transport = 'igmp';
} else if (iana_number == '6') {
ctx.network.transport = 'tcp';
} else if (iana_number == '17') {
ctx.network.transport = 'udp';
} else if (iana_number == '58') {
ctx.network.transport = 'ipv6-icmp';
}
Here's a helpful breakdown of protocols found in a users logs (provided by user):
| network.iana_number | Count of records |
|---|---|
| 6 | 7790382919 |
| 17 | 1376747683 |
| 1 | 624467023 |
| 112 | 2190677 |
| 47 | 117981 |
| 50 | 1545 |
| 132 | 724 |
| 0 | 660 |
| 2 | 108 |
| 8 | 89 |
| 63 | 88 |
| 41 | 59 |
| 124 | 2 |
| 127 | 2 |
| 251 | 1 |