Skip to content

[Automatic Import] Reject CEF logs in Auto Import until it is supported #201792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Dec 2, 2024
Merged

[Automatic Import] Reject CEF logs in Auto Import until it is supported #201792

merged 10 commits into from
Dec 2, 2024

Conversation

bhapas
Copy link
Contributor

@bhapas bhapas commented Nov 26, 2024
edited by kibanamachine
Loading

Release Note

Restrict and Reject CEF logs in Automatic Import and redirect to CEF integration instead.

Summary

Currently Automatic Import does not handle CEF logs properly and gives wierd errors.

This PR identifies the CEF logs and sends an error popup to alternatively go for CEF integration instead.

image

Testing

Tested this with different types of CEF logs

<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to  Everyone on E:\\Share\\Share\\Finance cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read & Execute dpriv=Everyone start=
<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024 16:44:31 cat=Alert cs2=Dani Test - access of credentials cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\B4\\Project mgmt\\U3 projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier act=File opened dvchost= outcome=Success msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions oldFilePermission=None filePermission=None dpriv= start=

CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4

<163>Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
<164>1 2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

@bhapas bhapas requested a review from a team as a code owner November 26, 2024 13:55
@bhapas bhapas requested a review from semd November 26, 2024 13:55
@bhapas bhapas self-assigned this Nov 26, 2024
@bhapas bhapas added release_note:fix backport:prev-minor Backport to (9.1) the previous minor version (i.e. one version back from main) Team:Security-Scalability Security Integrations Scalability Team Feature:AutomaticImport labels Nov 26, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-scalability (Team:Security-Scalability)

bhapas
bhapas commented Nov 27, 2024
View reviewed changes
@bhapas
Copy link
Contributor Author

bhapas commented Nov 27, 2024

@elasticmachine merge upstream

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
integrationAssistant 471 472 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
integrationAssistant 878.4KB 879.5KB +1.2KB

History

cc @bhapas

@bhapas bhapas merged commit f6fa94f into elastic:main Dec 2, 2024
8 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12118658161

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 2, 2024
@bhapas @elasticmachine
[Automatic Import] Reject CEF logs in Auto Import until it is support…
60a0c13 
…ed (elastic#201792)

## Release Note

Restrict and Reject CEF logs in Automatic Import and redirect to CEF
integration instead.

## Summary

Currently Automatic Import does not handle CEF logs properly and gives
wierd errors.

This PR identifies the CEF logs and sends an error popup to
alternatively go for CEF integration instead.

<img width="1229" alt="image"
src="https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d">

## Testing

Tested this with different types of CEF logs

```
<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to  Everyone on E:\\Share\\Share\\Finance cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read & Execute dpriv=Everyone start=
<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024 16:44:31 cat=Alert cs2=Dani Test - access of credentials cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\B4\\Project mgmt\\U3 projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier act=File opened dvchost= outcome=Success msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions oldFilePermission=None filePermission=None dpriv= start=
```

```
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4
```

```
<163>Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
<164>1 2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
```

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Elastic Machine <[email protected]>
(cherry picked from commit f6fa94f)
@kibanamachine kibanamachine mentioned this pull request Dec 2, 2024
Merged
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Dec 2, 2024
@kibanamachine @bhapas
[8.x] [Automatic Import] Reject CEF logs in Auto Import until it is s…
a1cb4c2 
…upported (#201792) (#202444)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Automatic Import] Reject CEF logs in Auto Import until it is
supported (#201792)](#201792)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Bharat
Pasupula","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-02T11:46:04Z","message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","backport:prev-minor","Team:Security-Scalability","Feature:AutomaticImport"],"title":"[Automatic
Import] Reject CEF logs in Auto Import until it is
supported","number":201792,"url":"https://github.com/elastic/kibana/pull/201792","mergeCommit":{"message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201792","number":201792,"mergeCommit":{"message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6"}}]}]
BACKPORT-->

Co-authored-by: Bharat Pasupula <[email protected]>
@bhapas bhapas added the backport:prev-major Backport to (8.19, 8.18, 8.17) the previous major branch and other branches in development label Dec 3, 2024
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.15, 8.16, 8.17, 8.x

https://github.com/elastic/kibana/actions/runs/12136407529

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 3, 2024
@bhapas @elasticmachine
[Automatic Import] Reject CEF logs in Auto Import until it is support…
2b43386 
…ed (elastic#201792)

## Release Note

Restrict and Reject CEF logs in Automatic Import and redirect to CEF
integration instead.

## Summary

Currently Automatic Import does not handle CEF logs properly and gives
wierd errors.

This PR identifies the CEF logs and sends an error popup to
alternatively go for CEF integration instead.

<img width="1229" alt="image"
src="https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d">

## Testing

Tested this with different types of CEF logs

```
<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to  Everyone on E:\\Share\\Share\\Finance cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read & Execute dpriv=Everyone start=
<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024 16:44:31 cat=Alert cs2=Dani Test - access of credentials cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\B4\\Project mgmt\\U3 projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier act=File opened dvchost= outcome=Success msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions oldFilePermission=None filePermission=None dpriv= start=
```

```
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4
```

```
<163>Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
<164>1 2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
```

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Elastic Machine <[email protected]>
(cherry picked from commit f6fa94f)
@kibanamachine kibanamachine mentioned this pull request Dec 3, 2024
Merged
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 3, 2024
@bhapas @elasticmachine
[Automatic Import] Reject CEF logs in Auto Import until it is support…
cc9427f 
…ed (elastic#201792)

## Release Note

Restrict and Reject CEF logs in Automatic Import and redirect to CEF
integration instead.

## Summary

Currently Automatic Import does not handle CEF logs properly and gives
wierd errors.

This PR identifies the CEF logs and sends an error popup to
alternatively go for CEF integration instead.

<img width="1229" alt="image"
src="https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d">

## Testing

Tested this with different types of CEF logs

```
<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to  Everyone on E:\\Share\\Share\\Finance cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read & Execute dpriv=Everyone start=
<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024 16:44:31 cat=Alert cs2=Dani Test - access of credentials cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\B4\\Project mgmt\\U3 projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier act=File opened dvchost= outcome=Success msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions oldFilePermission=None filePermission=None dpriv= start=
```

```
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4
```

```
<163>Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
<164>1 2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
```

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Elastic Machine <[email protected]>
(cherry picked from commit f6fa94f)
@kibanamachine kibanamachine mentioned this pull request Dec 3, 2024
Merged
@kibanamachine
Copy link
Contributor

💔 Some backports could not be created

Status Branch Result
8.15 Backport failed because of merge conflicts
8.16
8.17
8.x Cherrypick failed because the selected commit (f6fa94f) is empty. It looks like the commit was already backported in #202444

Note: Successful backport PRs will be merged automatically after passing CI.

Manual backport

To create the backport manually run:

node scripts/backport --pr 201792

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Dec 3, 2024
@kibanamachine @bhapas
[8.16] [Automatic Import] Reject CEF logs in Auto Import until it is …
c521832 
…supported (#201792) (#202635)

# Backport

This will backport the following commits from `main` to `8.16`:
- [[Automatic Import] Reject CEF logs in Auto Import until it is
supported (#201792)](#201792)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Bharat
Pasupula","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-02T11:46:04Z","message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","backport:prev-minor","backport:prev-major","Team:Security-Scalability","Feature:AutomaticImport","v8.18.0"],"title":"[Automatic
Import] Reject CEF logs in Auto Import until it is
supported","number":201792,"url":"https://github.com/elastic/kibana/pull/201792","mergeCommit":{"message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201792","number":201792,"mergeCommit":{"message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/202444","number":202444,"state":"MERGED","mergeCommit":{"sha":"a1cb4c22e82e107313fa8a9c587a9de47a280689","message":"[8.x]
[Automatic Import] Reject CEF logs in Auto Import until it is supported
(#201792) (#202444)\n\n# Backport\n\nThis will backport the following
commits from `main` to `8.x`:\n- [[Automatic Import] Reject CEF logs in
Auto Import until it is\nsupported
(#201792)](https://github.com/elastic/kibana/pull/201792)\n\n<!---
Backport version: 9.4.3 -->\n\n### Questions ?\nPlease refer to the
[Backport
tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT
[{\"author\":{\"name\":\"Bharat\nPasupula\",\"email\":\"[email protected]\"},\"sourceCommit\":{\"committedDate\":\"2024-12-02T11:46:04Z\",\"message\":\"[Automatic\nImport]
Reject CEF logs in Auto Import until it is supported\n(#201792)\\n\\n##
Release Note\\r\\n\\r\\nRestrict and Reject CEF logs in\nAutomatic
Import and redirect to CEF\\r\\nintegration
instead.\\r\\n\\r\\n##\nSummary\\r\\n\\r\\nCurrently Automatic Import
does not handle CEF logs\nproperly and gives\\r\\nwierd
errors.\\r\\n\\r\\nThis PR identifies the CEF\nlogs and sends an error
popup to\\r\\nalternatively go for CEF
integration\ninstead.\\r\\n\\r\\n<img
width=\\\"1229\\\"\nalt=\\\"image\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\\\">\\r\\n\\r\\n##\nTesting\\r\\n\\r\\nTested
this with different types of CEF\nlogs\\r\\n\\r\\n```\\r\\n<14>Nov 22
16:19:13 ABQ-ZTA-VRNS-3
CEF:0|Varonis\nInc.|DatAdvantage|8.6.51|6000|Folder permissions
added|3|rt=Nov 22 2024\n16:19:09 cat=Alert cs2=Permissions granted to
Global Access Groups\ncs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov
22 2024 16:19:05\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
fname=Finance act=Folder\npermissions added dvchost= outcome=Success
msg=Read & Execute\npermissions for This folder, subfolders and files
(not inherited) was\nadded to Everyone on
E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=Read & Execute\ncs6Label=ChangedPermissions oldFilePermission=None
filePermission=Read &\nExecute dpriv=Everyone start=\\r\\n<14>Nov 22
16:44:31 ABQ-ZTA-VRNS-3\nCEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File
opened|2|rt=Nov 22 2024\n16:44:31 cat=Alert cs2=Dani Test - access of
credentials\ncs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024
16:34:33\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\B4\\\\\\\\Project
mgmt\\\\\\\\U3\nprojects11.txt:Zone.Identifier fname=U3
projects11.txt:Zone.Identifier\nact=File opened dvchost= outcome=Success
msg= cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=None cs6Label=ChangedPermissions\noldFilePermission=None
filePermission=None
dpriv=\nstart=\\r\\n```\\r\\n\\r\\n```\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|eventId=3457
requestMethod=POST slat=38.915 slong=-77.511\nproto=TCP
sourceServiceName=httpd
requestContext=https://www.google.com\nsrc=89.160.20.156 spt=33876
dst=192.168.10.1
dpt=443\nrequest=https://www.example.com/cart\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123\nsrc=89.160.20.156
spt=33876 dst=89.160.20.156 dpt=443 duser=alice\nsuser=bob
destinationTranslatedAddress=10.10.10.10\nfileHash=bc8bbe52f041fd17318f08a0f73762ce\noldFileHash=a9796280592f86b74b27e370662d41eb\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user\ndpriv=root\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This\nevent
is padded with whitespace
dst=192.168.1.2\nsrc=192.168.3.4\\r\\n```\\r\\n\\r\\n```\\r\\n<163>Apr 1
05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\nApr
1 05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\n<164>1
2021-04-01T05:14:15.000003-05:00\n192.0.2.1 rfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003-05:00
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n<165>1
2021-04-01T05:14:15.000003Z 192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003Z
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n```\\r\\n\\r\\n###
Checklist\\r\\n\\r\\nCheck the PR\nsatisfies following conditions.
\\r\\n\\r\\nReviewers should verify this PR\nsatisfies this list as
well.\\r\\n\\r\\n- [x] Any text added follows
[EUI's\nwriting\\r\\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),\nuses\\r\\nsentence
case text and
includes\n[i18n\\r\\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\\r\\n-\n[\n]\\r\\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\\r\\nwas\nadded
for features that require explanation or tutorials\\r\\n- [x]
[Unit\nor\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\nupdated
or added to match the most common scenarios\\r\\n- [x] The
PR\ndescription includes the appropriate Release Notes section,\\r\\nand
the\ncorrect `release_note:*` label is applied
per\nthe\\r\\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\",\"sha\":\"f6fa94f4768f8a2623fceaaf242ead24a3667ad6\",\"branchLabelMapping\":{\"^v9.0.0$\":\"main\",\"^v8.18.0$\":\"8.x\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:fix\",\"v9.0.0\",\"backport:prev-minor\",\"Team:Security-Scalability\",\"Feature:AutomaticImport\"],\"title\":\"[Automatic\nImport]
Reject CEF logs in Auto Import until it
is\nsupported\",\"number\":201792,\"url\":\"https://github.com/elastic/kibana/pull/201792\",\"mergeCommit\":{\"message\":\"[Automatic\nImport]
Reject CEF logs in Auto Import until it is supported\n(#201792)\\n\\n##
Release Note\\r\\n\\r\\nRestrict and Reject CEF logs in\nAutomatic
Import and redirect to CEF\\r\\nintegration
instead.\\r\\n\\r\\n##\nSummary\\r\\n\\r\\nCurrently Automatic Import
does not handle CEF logs\nproperly and gives\\r\\nwierd
errors.\\r\\n\\r\\nThis PR identifies the CEF\nlogs and sends an error
popup to\\r\\nalternatively go for CEF
integration\ninstead.\\r\\n\\r\\n<img
width=\\\"1229\\\"\nalt=\\\"image\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\\\">\\r\\n\\r\\n##\nTesting\\r\\n\\r\\nTested
this with different types of CEF\nlogs\\r\\n\\r\\n```\\r\\n<14>Nov 22
16:19:13 ABQ-ZTA-VRNS-3
CEF:0|Varonis\nInc.|DatAdvantage|8.6.51|6000|Folder permissions
added|3|rt=Nov 22 2024\n16:19:09 cat=Alert cs2=Permissions granted to
Global Access Groups\ncs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov
22 2024 16:19:05\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
fname=Finance act=Folder\npermissions added dvchost= outcome=Success
msg=Read & Execute\npermissions for This folder, subfolders and files
(not inherited) was\nadded to Everyone on
E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=Read & Execute\ncs6Label=ChangedPermissions oldFilePermission=None
filePermission=Read &\nExecute dpriv=Everyone start=\\r\\n<14>Nov 22
16:44:31 ABQ-ZTA-VRNS-3\nCEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File
opened|2|rt=Nov 22 2024\n16:44:31 cat=Alert cs2=Dani Test - access of
credentials\ncs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024
16:34:33\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\B4\\\\\\\\Project
mgmt\\\\\\\\U3\nprojects11.txt:Zone.Identifier fname=U3
projects11.txt:Zone.Identifier\nact=File opened dvchost= outcome=Success
msg= cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=None cs6Label=ChangedPermissions\noldFilePermission=None
filePermission=None
dpriv=\nstart=\\r\\n```\\r\\n\\r\\n```\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|eventId=3457
requestMethod=POST slat=38.915 slong=-77.511\nproto=TCP
sourceServiceName=httpd
requestContext=https://www.google.com\nsrc=89.160.20.156 spt=33876
dst=192.168.10.1
dpt=443\nrequest=https://www.example.com/cart\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123\nsrc=89.160.20.156
spt=33876 dst=89.160.20.156 dpt=443 duser=alice\nsuser=bob
destinationTranslatedAddress=10.10.10.10\nfileHash=bc8bbe52f041fd17318f08a0f73762ce\noldFileHash=a9796280592f86b74b27e370662d41eb\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user\ndpriv=root\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This\nevent
is padded with whitespace
dst=192.168.1.2\nsrc=192.168.3.4\\r\\n```\\r\\n\\r\\n```\\r\\n<163>Apr 1
05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\nApr
1 05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\n<164>1
2021-04-01T05:14:15.000003-05:00\n192.0.2.1 rfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003-05:00
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n<165>1
2021-04-01T05:14:15.000003Z 192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003Z
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n```\\r\\n\\r\\n###
Checklist\\r\\n\\r\\nCheck the PR\nsatisfies following conditions.
\\r\\n\\r\\nReviewers should verify this PR\nsatisfies this list as
well.\\r\\n\\r\\n- [x] Any text added follows
[EUI's\nwriting\\r\\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),\nuses\\r\\nsentence
case text and
includes\n[i18n\\r\\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\\r\\n-\n[\n]\\r\\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\\r\\nwas\nadded
for features that require explanation or tutorials\\r\\n- [x]
[Unit\nor\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\nupdated
or added to match the most common scenarios\\r\\n- [x] The
PR\ndescription includes the appropriate Release Notes section,\\r\\nand
the\ncorrect `release_note:*` label is applied
per\nthe\\r\\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\",\"sha\":\"f6fa94f4768f8a2623fceaaf242ead24a3667ad6\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v9.0.0\",\"branchLabelMappingKey\":\"^v9.0.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/201792\",\"number\":201792,\"mergeCommit\":{\"message\":\"[Automatic\nImport]
Reject CEF logs in Auto Import until it is supported\n(#201792)\\n\\n##
Release Note\\r\\n\\r\\nRestrict and Reject CEF logs in\nAutomatic
Import and redirect to CEF\\r\\nintegration
instead.\\r\\n\\r\\n##\nSummary\\r\\n\\r\\nCurrently Automatic Import
does not handle CEF logs\nproperly and gives\\r\\nwierd
errors.\\r\\n\\r\\nThis PR identifies the CEF\nlogs and sends an error
popup to\\r\\nalternatively go for CEF
integration\ninstead.\\r\\n\\r\\n<img
width=\\\"1229\\\"\nalt=\\\"image\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\\\">\\r\\n\\r\\n##\nTesting\\r\\n\\r\\nTested
this with different types of CEF\nlogs\\r\\n\\r\\n```\\r\\n<14>Nov 22
16:19:13 ABQ-ZTA-VRNS-3
CEF:0|Varonis\nInc.|DatAdvantage|8.6.51|6000|Folder permissions
added|3|rt=Nov 22 2024\n16:19:09 cat=Alert cs2=Permissions granted to
Global Access Groups\ncs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov
22 2024 16:19:05\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
fname=Finance act=Folder\npermissions added dvchost= outcome=Success
msg=Read & Execute\npermissions for This folder, subfolders and files
(not inherited) was\nadded to Everyone on
E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=Read & Execute\ncs6Label=ChangedPermissions oldFilePermission=None
filePermission=Read &\nExecute dpriv=Everyone start=\\r\\n<14>Nov 22
16:44:31 ABQ-ZTA-VRNS-3\nCEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File
opened|2|rt=Nov 22 2024\n16:44:31 cat=Alert cs2=Dani Test - access of
credentials\ncs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024
16:34:33\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\B4\\\\\\\\Project
mgmt\\\\\\\\U3\nprojects11.txt:Zone.Identifier fname=U3
projects11.txt:Zone.Identifier\nact=File opened dvchost= outcome=Success
msg= cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=None cs6Label=ChangedPermissions\noldFilePermission=None
filePermission=None
dpriv=\nstart=\\r\\n```\\r\\n\\r\\n```\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|eventId=3457
requestMethod=POST slat=38.915 slong=-77.511\nproto=TCP
sourceServiceName=httpd
requestContext=https://www.google.com\nsrc=89.160.20.156 spt=33876
dst=192.168.10.1
dpt=443\nrequest=https://www.example.com/cart\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123\nsrc=89.160.20.156
spt=33876 dst=89.160.20.156 dpt=443 duser=alice\nsuser=bob
destinationTranslatedAddress=10.10.10.10\nfileHash=bc8bbe52f041fd17318f08a0f73762ce\noldFileHash=a9796280592f86b74b27e370662d41eb\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user\ndpriv=root\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This\nevent
is padded with whitespace
dst=192.168.1.2\nsrc=192.168.3.4\\r\\n```\\r\\n\\r\\n```\\r\\n<163>Apr 1
05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\nApr
1 05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\n<164>1
2021-04-01T05:14:15.000003-05:00\n192.0.2.1 rfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003-05:00
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n<165>1
2021-04-01T05:14:15.000003Z 192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003Z
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n```\\r\\n\\r\\n###
Checklist\\r\\n\\r\\nCheck the PR\nsatisfies following conditions.
\\r\\n\\r\\nReviewers should verify this PR\nsatisfies this list as
well.\\r\\n\\r\\n- [x] Any text added follows
[EUI's\nwriting\\r\\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),\nuses\\r\\nsentence
case text and
includes\n[i18n\\r\\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\\r\\n-\n[\n]\\r\\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\\r\\nwas\nadded
for features that require explanation or tutorials\\r\\n- [x]
[Unit\nor\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\nupdated
or added to match the most common scenarios\\r\\n- [x] The
PR\ndescription includes the appropriate Release Notes section,\\r\\nand
the\ncorrect `release_note:*` label is applied
per\nthe\\r\\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\",\"sha\":\"f6fa94f4768f8a2623fceaaf242ead24a3667ad6\"}}]}]\nBACKPORT-->\n\nCo-authored-by:
Bharat Pasupula <[email protected]>"}}]}]
BACKPORT-->

Co-authored-by: Bharat Pasupula <[email protected]>
kibanamachine added a commit that referenced this pull request Dec 3, 2024
@kibanamachine @bhapas
[8.17] [Automatic Import] Reject CEF logs in Auto Import until it is …
a794243 
…supported (#201792) (#202636)

# Backport

This will backport the following commits from `main` to `8.17`:
- [[Automatic Import] Reject CEF logs in Auto Import until it is
supported (#201792)](#201792)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Bharat
Pasupula","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-02T11:46:04Z","message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","backport:prev-minor","backport:prev-major","Team:Security-Scalability","Feature:AutomaticImport","v8.18.0"],"title":"[Automatic
Import] Reject CEF logs in Auto Import until it is
supported","number":201792,"url":"https://github.com/elastic/kibana/pull/201792","mergeCommit":{"message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201792","number":201792,"mergeCommit":{"message":"[Automatic
Import] Reject CEF logs in Auto Import until it is supported
(#201792)\n\n## Release Note\r\n\r\nRestrict and Reject CEF logs in
Automatic Import and redirect to CEF\r\nintegration instead.\r\n\r\n##
Summary\r\n\r\nCurrently Automatic Import does not handle CEF logs
properly and gives\r\nwierd errors.\r\n\r\nThis PR identifies the CEF
logs and sends an error popup to\r\nalternatively go for CEF integration
instead.\r\n\r\n<img width=\"1229\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\">\r\n\r\n##
Testing\r\n\r\nTested this with different types of CEF
logs\r\n\r\n```\r\n<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis
Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024
16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups
cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder
permissions added dvchost= outcome=Success msg=Read & Execute
permissions for This folder, subfolders and files (not inherited) was
added to Everyone on E:\\\\Share\\\\Share\\\\Finance cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=Read & Execute
cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read &
Execute dpriv=Everyone start=\r\n<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3
CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024
16:44:31 cat=Alert cs2=Dani Test - access of credentials
cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33
duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12
filePath=E:\\\\Share\\\\Share\\\\B4\\\\Project mgmt\\\\U3
projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier
act=File opened dvchost= outcome=Success msg= cs3=
cs3Label=AttachmentName cs4= cs4Label=ClientAccessType
deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5=
cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions
oldFilePermission=None filePermission=None dpriv=
start=\r\n```\r\n\r\n```\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511
proto=TCP sourceServiceName=httpd requestContext=https://www.google.com
src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443
request=https://www.example.com/cart\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123
src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice
suser=bob destinationTranslatedAddress=10.10.10.10
fileHash=bc8bbe52f041fd17318f08a0f73762ce
oldFileHash=a9796280592f86b74b27e370662d41eb\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user
dpriv=root\r\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This
event is padded with whitespace dst=192.168.1.2
src=192.168.3.4\r\n```\r\n\r\n```\r\n<163>Apr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\nApr 1 05:14:15 192.0.2.1
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc3164\r\n<164>1 2021-04-01T05:14:15.000003-05:00
192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003-05:00 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n2021-04-01T05:14:15.000003Z 192.0.2.1
rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web
request|low|msg=rfc5424\r\n```\r\n\r\n### Checklist\r\n\r\nCheck the PR
satisfies following conditions. \r\n\r\nReviewers should verify this PR
satisfies this list as well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"f6fa94f4768f8a2623fceaaf242ead24a3667ad6"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/202444","number":202444,"state":"MERGED","mergeCommit":{"sha":"a1cb4c22e82e107313fa8a9c587a9de47a280689","message":"[8.x]
[Automatic Import] Reject CEF logs in Auto Import until it is supported
(#201792) (#202444)\n\n# Backport\n\nThis will backport the following
commits from `main` to `8.x`:\n- [[Automatic Import] Reject CEF logs in
Auto Import until it is\nsupported
(#201792)](https://github.com/elastic/kibana/pull/201792)\n\n<!---
Backport version: 9.4.3 -->\n\n### Questions ?\nPlease refer to the
[Backport
tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT
[{\"author\":{\"name\":\"Bharat\nPasupula\",\"email\":\"[email protected]\"},\"sourceCommit\":{\"committedDate\":\"2024-12-02T11:46:04Z\",\"message\":\"[Automatic\nImport]
Reject CEF logs in Auto Import until it is supported\n(#201792)\\n\\n##
Release Note\\r\\n\\r\\nRestrict and Reject CEF logs in\nAutomatic
Import and redirect to CEF\\r\\nintegration
instead.\\r\\n\\r\\n##\nSummary\\r\\n\\r\\nCurrently Automatic Import
does not handle CEF logs\nproperly and gives\\r\\nwierd
errors.\\r\\n\\r\\nThis PR identifies the CEF\nlogs and sends an error
popup to\\r\\nalternatively go for CEF
integration\ninstead.\\r\\n\\r\\n<img
width=\\\"1229\\\"\nalt=\\\"image\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\\\">\\r\\n\\r\\n##\nTesting\\r\\n\\r\\nTested
this with different types of CEF\nlogs\\r\\n\\r\\n```\\r\\n<14>Nov 22
16:19:13 ABQ-ZTA-VRNS-3
CEF:0|Varonis\nInc.|DatAdvantage|8.6.51|6000|Folder permissions
added|3|rt=Nov 22 2024\n16:19:09 cat=Alert cs2=Permissions granted to
Global Access Groups\ncs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov
22 2024 16:19:05\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
fname=Finance act=Folder\npermissions added dvchost= outcome=Success
msg=Read & Execute\npermissions for This folder, subfolders and files
(not inherited) was\nadded to Everyone on
E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=Read & Execute\ncs6Label=ChangedPermissions oldFilePermission=None
filePermission=Read &\nExecute dpriv=Everyone start=\\r\\n<14>Nov 22
16:44:31 ABQ-ZTA-VRNS-3\nCEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File
opened|2|rt=Nov 22 2024\n16:44:31 cat=Alert cs2=Dani Test - access of
credentials\ncs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024
16:34:33\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\B4\\\\\\\\Project
mgmt\\\\\\\\U3\nprojects11.txt:Zone.Identifier fname=U3
projects11.txt:Zone.Identifier\nact=File opened dvchost= outcome=Success
msg= cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=None cs6Label=ChangedPermissions\noldFilePermission=None
filePermission=None
dpriv=\nstart=\\r\\n```\\r\\n\\r\\n```\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|eventId=3457
requestMethod=POST slat=38.915 slong=-77.511\nproto=TCP
sourceServiceName=httpd
requestContext=https://www.google.com\nsrc=89.160.20.156 spt=33876
dst=192.168.10.1
dpt=443\nrequest=https://www.example.com/cart\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123\nsrc=89.160.20.156
spt=33876 dst=89.160.20.156 dpt=443 duser=alice\nsuser=bob
destinationTranslatedAddress=10.10.10.10\nfileHash=bc8bbe52f041fd17318f08a0f73762ce\noldFileHash=a9796280592f86b74b27e370662d41eb\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user\ndpriv=root\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This\nevent
is padded with whitespace
dst=192.168.1.2\nsrc=192.168.3.4\\r\\n```\\r\\n\\r\\n```\\r\\n<163>Apr 1
05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\nApr
1 05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\n<164>1
2021-04-01T05:14:15.000003-05:00\n192.0.2.1 rfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003-05:00
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n<165>1
2021-04-01T05:14:15.000003Z 192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003Z
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n```\\r\\n\\r\\n###
Checklist\\r\\n\\r\\nCheck the PR\nsatisfies following conditions.
\\r\\n\\r\\nReviewers should verify this PR\nsatisfies this list as
well.\\r\\n\\r\\n- [x] Any text added follows
[EUI's\nwriting\\r\\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),\nuses\\r\\nsentence
case text and
includes\n[i18n\\r\\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\\r\\n-\n[\n]\\r\\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\\r\\nwas\nadded
for features that require explanation or tutorials\\r\\n- [x]
[Unit\nor\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\nupdated
or added to match the most common scenarios\\r\\n- [x] The
PR\ndescription includes the appropriate Release Notes section,\\r\\nand
the\ncorrect `release_note:*` label is applied
per\nthe\\r\\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\",\"sha\":\"f6fa94f4768f8a2623fceaaf242ead24a3667ad6\",\"branchLabelMapping\":{\"^v9.0.0$\":\"main\",\"^v8.18.0$\":\"8.x\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:fix\",\"v9.0.0\",\"backport:prev-minor\",\"Team:Security-Scalability\",\"Feature:AutomaticImport\"],\"title\":\"[Automatic\nImport]
Reject CEF logs in Auto Import until it
is\nsupported\",\"number\":201792,\"url\":\"https://github.com/elastic/kibana/pull/201792\",\"mergeCommit\":{\"message\":\"[Automatic\nImport]
Reject CEF logs in Auto Import until it is supported\n(#201792)\\n\\n##
Release Note\\r\\n\\r\\nRestrict and Reject CEF logs in\nAutomatic
Import and redirect to CEF\\r\\nintegration
instead.\\r\\n\\r\\n##\nSummary\\r\\n\\r\\nCurrently Automatic Import
does not handle CEF logs\nproperly and gives\\r\\nwierd
errors.\\r\\n\\r\\nThis PR identifies the CEF\nlogs and sends an error
popup to\\r\\nalternatively go for CEF
integration\ninstead.\\r\\n\\r\\n<img
width=\\\"1229\\\"\nalt=\\\"image\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\\\">\\r\\n\\r\\n##\nTesting\\r\\n\\r\\nTested
this with different types of CEF\nlogs\\r\\n\\r\\n```\\r\\n<14>Nov 22
16:19:13 ABQ-ZTA-VRNS-3
CEF:0|Varonis\nInc.|DatAdvantage|8.6.51|6000|Folder permissions
added|3|rt=Nov 22 2024\n16:19:09 cat=Alert cs2=Permissions granted to
Global Access Groups\ncs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov
22 2024 16:19:05\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
fname=Finance act=Folder\npermissions added dvchost= outcome=Success
msg=Read & Execute\npermissions for This folder, subfolders and files
(not inherited) was\nadded to Everyone on
E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=Read & Execute\ncs6Label=ChangedPermissions oldFilePermission=None
filePermission=Read &\nExecute dpriv=Everyone start=\\r\\n<14>Nov 22
16:44:31 ABQ-ZTA-VRNS-3\nCEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File
opened|2|rt=Nov 22 2024\n16:44:31 cat=Alert cs2=Dani Test - access of
credentials\ncs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024
16:34:33\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\B4\\\\\\\\Project
mgmt\\\\\\\\U3\nprojects11.txt:Zone.Identifier fname=U3
projects11.txt:Zone.Identifier\nact=File opened dvchost= outcome=Success
msg= cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=None cs6Label=ChangedPermissions\noldFilePermission=None
filePermission=None
dpriv=\nstart=\\r\\n```\\r\\n\\r\\n```\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|eventId=3457
requestMethod=POST slat=38.915 slong=-77.511\nproto=TCP
sourceServiceName=httpd
requestContext=https://www.google.com\nsrc=89.160.20.156 spt=33876
dst=192.168.10.1
dpt=443\nrequest=https://www.example.com/cart\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123\nsrc=89.160.20.156
spt=33876 dst=89.160.20.156 dpt=443 duser=alice\nsuser=bob
destinationTranslatedAddress=10.10.10.10\nfileHash=bc8bbe52f041fd17318f08a0f73762ce\noldFileHash=a9796280592f86b74b27e370662d41eb\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user\ndpriv=root\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This\nevent
is padded with whitespace
dst=192.168.1.2\nsrc=192.168.3.4\\r\\n```\\r\\n\\r\\n```\\r\\n<163>Apr 1
05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\nApr
1 05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\n<164>1
2021-04-01T05:14:15.000003-05:00\n192.0.2.1 rfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003-05:00
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n<165>1
2021-04-01T05:14:15.000003Z 192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003Z
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n```\\r\\n\\r\\n###
Checklist\\r\\n\\r\\nCheck the PR\nsatisfies following conditions.
\\r\\n\\r\\nReviewers should verify this PR\nsatisfies this list as
well.\\r\\n\\r\\n- [x] Any text added follows
[EUI's\nwriting\\r\\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),\nuses\\r\\nsentence
case text and
includes\n[i18n\\r\\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\\r\\n-\n[\n]\\r\\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\\r\\nwas\nadded
for features that require explanation or tutorials\\r\\n- [x]
[Unit\nor\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\nupdated
or added to match the most common scenarios\\r\\n- [x] The
PR\ndescription includes the appropriate Release Notes section,\\r\\nand
the\ncorrect `release_note:*` label is applied
per\nthe\\r\\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\",\"sha\":\"f6fa94f4768f8a2623fceaaf242ead24a3667ad6\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v9.0.0\",\"branchLabelMappingKey\":\"^v9.0.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/201792\",\"number\":201792,\"mergeCommit\":{\"message\":\"[Automatic\nImport]
Reject CEF logs in Auto Import until it is supported\n(#201792)\\n\\n##
Release Note\\r\\n\\r\\nRestrict and Reject CEF logs in\nAutomatic
Import and redirect to CEF\\r\\nintegration
instead.\\r\\n\\r\\n##\nSummary\\r\\n\\r\\nCurrently Automatic Import
does not handle CEF logs\nproperly and gives\\r\\nwierd
errors.\\r\\n\\r\\nThis PR identifies the CEF\nlogs and sends an error
popup to\\r\\nalternatively go for CEF
integration\ninstead.\\r\\n\\r\\n<img
width=\\\"1229\\\"\nalt=\\\"image\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d\\\">\\r\\n\\r\\n##\nTesting\\r\\n\\r\\nTested
this with different types of CEF\nlogs\\r\\n\\r\\n```\\r\\n<14>Nov 22
16:19:13 ABQ-ZTA-VRNS-3
CEF:0|Varonis\nInc.|DatAdvantage|8.6.51|6000|Folder permissions
added|3|rt=Nov 22 2024\n16:19:09 cat=Alert cs2=Permissions granted to
Global Access Groups\ncs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov
22 2024 16:19:05\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
fname=Finance act=Folder\npermissions added dvchost= outcome=Success
msg=Read & Execute\npermissions for This folder, subfolders and files
(not inherited) was\nadded to Everyone on
E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\Finance
cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=Read & Execute\ncs6Label=ChangedPermissions oldFilePermission=None
filePermission=Read &\nExecute dpriv=Everyone start=\\r\\n<14>Nov 22
16:44:31 ABQ-ZTA-VRNS-3\nCEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File
opened|2|rt=Nov 22 2024\n16:44:31 cat=Alert cs2=Dani Test - access of
credentials\ncs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024
16:34:33\nduser=zta.local\\\\\\\\Dani Lulli (ADMIN)
dhost=10.100.20.12\nfilePath=E:\\\\\\\\Share\\\\\\\\Share\\\\\\\\B4\\\\\\\\Project
mgmt\\\\\\\\U3\nprojects11.txt:Zone.Identifier fname=U3
projects11.txt:Zone.Identifier\nact=File opened dvchost= outcome=Success
msg= cs3=\ncs3Label=AttachmentName cs4=
cs4Label=ClientAccessType\ndeviceCustomDate1= fileType= cs1=
cs1Label=MailRecipient suser= cs5=\ncs5Label=MailboxAccessType cnt=
cs6=None cs6Label=ChangedPermissions\noldFilePermission=None
filePermission=None
dpriv=\nstart=\\r\\n```\\r\\n\\r\\n```\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|eventId=3457
requestMethod=POST slat=38.915 slong=-77.511\nproto=TCP
sourceServiceName=httpd
requestContext=https://www.google.com\nsrc=89.160.20.156 spt=33876
dst=192.168.10.1
dpt=443\nrequest=https://www.example.com/cart\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123\nsrc=89.160.20.156
spt=33876 dst=89.160.20.156 dpt=443 duser=alice\nsuser=bob
destinationTranslatedAddress=10.10.10.10\nfileHash=bc8bbe52f041fd17318f08a0f73762ce\noldFileHash=a9796280592f86b74b27e370662d41eb\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user\ndpriv=root\\r\\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This\nevent
is padded with whitespace
dst=192.168.1.2\nsrc=192.168.3.4\\r\\n```\\r\\n\\r\\n```\\r\\n<163>Apr 1
05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\nApr
1 05:14:15
192.0.2.1\nCEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc3164\\r\\n<164>1
2021-04-01T05:14:15.000003-05:00\n192.0.2.1 rfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003-05:00
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n<165>1
2021-04-01T05:14:15.000003Z 192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n2021-04-01T05:14:15.000003Z
192.0.2.1\nrfc5424App 8710 - -
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web\nrequest|low|msg=rfc5424\\r\\n```\\r\\n\\r\\n###
Checklist\\r\\n\\r\\nCheck the PR\nsatisfies following conditions.
\\r\\n\\r\\nReviewers should verify this PR\nsatisfies this list as
well.\\r\\n\\r\\n- [x] Any text added follows
[EUI's\nwriting\\r\\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),\nuses\\r\\nsentence
case text and
includes\n[i18n\\r\\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\\r\\n-\n[\n]\\r\\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\\r\\nwas\nadded
for features that require explanation or tutorials\\r\\n- [x]
[Unit\nor\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\nupdated
or added to match the most common scenarios\\r\\n- [x] The
PR\ndescription includes the appropriate Release Notes section,\\r\\nand
the\ncorrect `release_note:*` label is applied
per\nthe\\r\\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\",\"sha\":\"f6fa94f4768f8a2623fceaaf242ead24a3667ad6\"}}]}]\nBACKPORT-->\n\nCo-authored-by:
Bharat Pasupula <[email protected]>"}}]}]
BACKPORT-->

Co-authored-by: Bharat Pasupula <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
@bhapas @elasticmachine @CAWilson94
[Automatic Import] Reject CEF logs in Auto Import until it is support…
3cb0b7d 
…ed (elastic#201792)

## Release Note

Restrict and Reject CEF logs in Automatic Import and redirect to CEF
integration instead.

## Summary

Currently Automatic Import does not handle CEF logs properly and gives
wierd errors.

This PR identifies the CEF logs and sends an error popup to
alternatively go for CEF integration instead.

<img width="1229" alt="image"
src="https://github.com/user-attachments/assets/59037dd4-323a-476a-9747-950fbc6e384d">

## Testing

Tested this with different types of CEF logs

```
<14>Nov 22 16:19:13 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to  Everyone on E:\\Share\\Share\\Finance cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=None filePermission=Read & Execute dpriv=Everyone start=
<14>Nov 22 16:44:31 ABQ-ZTA-VRNS-3 CEF:0|Varonis Inc.|DatAdvantage|8.6.51|1|File opened|2|rt=Nov 22 2024 16:44:31 cat=Alert cs2=Dani Test - access of credentials cs2Label=RuleName cn1=184 cn1Label=RuleID end=Nov 22 2024 16:34:33 duser=zta.local\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\Share\\Share\\B4\\Project mgmt\\U3 projects11.txt:Zone.Identifier fname=U3 projects11.txt:Zone.Identifier act=File opened dvchost= outcome=Success msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6=None cs6Label=ChangedPermissions oldFilePermission=None filePermission=None dpriv= start=
```

```
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root
CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4
```

```
<163>Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
Apr  1 05:14:15 192.0.2.1 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc3164
<164>1 2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003-05:00 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
<165>1 2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
2021-04-01T05:14:15.000003Z 192.0.2.1 rfc5424App 8710 - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|msg=rfc5424
```

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kgeller kgeller kgeller left review comments

@P1llus P1llus P1llus approved these changes

@semd semd Awaiting requested review from semd

Assignees

@bhapas bhapas

Labels
backport:prev-major Backport to (8.19, 8.18, 8.17) the previous major branch and other branches in development backport:prev-minor Backport to (9.1) the previous minor version (i.e. one version back from main) Feature:AutomaticImport release_note:fix Team:Security-Scalability Security Integrations Scalability Team v8.16.2 v8.17.0 v8.18.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bhapas @elasticmachine @kibanamachine @P1llus @kgeller