Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [Automatic Import] Reject CEF logs in Auto Import until it is s…
…upported (#201792) (#202444) # Backport This will backport the following commits from `main` to `8.x`: - [[Automatic Import] Reject CEF logs in Auto Import until it is supported (#201792)](#201792) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Bharat Pasupula","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-02T11:46:04Z","message":"[Automatic Import] Reject CEF logs in Auto Import until it is supported (#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n## Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF logs and sends an error popup to\r\nalternatively go for CEF integration instead.\r\n\r\n<img width=\"1229\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n## Testing\r\n\r\nTested this with different types of CEF logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read & Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024 16:44:31 cat=Alert cs2=Dani Test - access of credentials cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33 duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3 projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier act=File opened dvchost= outcome=Success msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions oldFilePermission=None filePermission=None dpriv= start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] The PR description includes the appropriate Release Notes section,\r\nand the correct `release_note:*` label is applied per the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","backport:prev-minor","Team:Security-Scalability","Feature:AutomaticImport"],"title":"[Automatic Import] Reject CEF logs in Auto Import until it is supported","number":201792,"url":"https://github.com/elastic/kibana/pull/201792","mergeCommit":{"message":"[Automatic Import] Reject CEF logs in Auto Import until it is supported (#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n## Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF logs and sends an error popup to\r\nalternatively go for CEF integration instead.\r\n\r\n<img width=\"1229\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n## Testing\r\n\r\nTested this with different types of CEF logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read & Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024 16:44:31 cat=Alert cs2=Dani Test - access of credentials cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33 duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3 projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier act=File opened dvchost= outcome=Success msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions oldFilePermission=None filePermission=None dpriv= start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] The PR description includes the appropriate Release Notes section,\r\nand the correct `release_note:*` label is applied per the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201792","number":201792,"mergeCommit":{"message":"[Automatic Import] Reject CEF logs in Auto Import until it is supported (#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n## Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF logs and sends an error popup to\r\nalternatively go for CEF integration instead.\r\n\r\n<img width=\"1229\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n## Testing\r\n\r\nTested this with different types of CEF logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read & Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024 16:44:31 cat=Alert cs2=Dani Test - access of credentials cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33 duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3 projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier act=File opened dvchost= outcome=Success msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions oldFilePermission=None filePermission=None dpriv= start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] The PR description includes the appropriate Release Notes section,\r\nand the correct `release_note:*` label is applied per the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6"}}]}] BACKPORT--> Co-authored-by: Bharat Pasupula <[email protected]>
- Loading branch information