[checkpoint] Improve firewall session log handling

[srilumpa]

Proposed commit message

Add handling of Check Point firewall session logs in accordance with the ECS
structure.

Session logs aggregate multiple connection logs from the same network
activity into a single event. The aggregation creates the following fields:

- creation_time: UNIX timestamp of the first connection in the session.
- last_hit_time: UNIX timestamp of the last recorded connection in the session.
- duration: Duration (in seconds) of the session.
- aggregated_log_count: Number of connection logs aggregated into the session.
- connection_count: Number of connections recorded in the session.
- update_count: Number of times the session was updated.

This commit will:

1. Interpret creation_time and last_hit_time as dates, storing them in the ECS
fields event.start and event.end, respectively.
2. Convert duration to nanoseconds, as per the ECS event.duration specification,
and store it in the event.duration field.
3. Ensure checkpoint.aggregated_log_count, checkpoint.connection_count, and
checkpoint.update_count are mapped to numeric types.

Note that `checkpoint.aggregated_log_count`, `checkpoint.connection_count`, and
`checkpoint.update_count` which were previously mapped dynamically as keyword
data types are now statically mapped as integer data types.

Closes #11894

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

How to test this PR locally

Related issues

• Closes [Checkpoint]: Processing and mapping of Checkpoint Firewall session logs #11894

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[srilumpa]

BTW, I mentioned it in the changelog but not in the PR commit message but this change will probably result in a mapping change for the three non-ECS fields (checkpoint.aggregated_log_count, checkpoint.connection_count and checkpoint.update_count) as they were dynamically mapped to a keyword but are now mapped to an integer.

[taylor-swanson]

@andrewkroh, what are you thoughts on making this a breaking change? When the types of existing fields are changed (keyword -> integer in this case), how does that affect existing, indexed documents?

[andrewkroh]

When the types of existing fields are changed (keyword -> integer in this case), how does that affect existing, indexed documents?

It will not change any existing indexed data. Only the the new index that is created after the package upgrade, which triggers and data stream index rollover, will have the new mapping.

This means that queries that span older indices can have problems when they involve these fields since numeric comparisons cannot execute on the older data.

[andrewkroh]

/test

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 72599cbb9884291aeabbdab28707498c05db33e7

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elastic-vault-github-plugin-prod]

Package checkpoint - 1.35.0 containing this change is available at https://epr.elastic.co/package/checkpoint/1.35.0/