Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Add dashboards to CEF module #14342

Merged
merged 15 commits into from
Nov 27, 2019
Merged

[Filebeat] Add dashboards to CEF module #14342

merged 15 commits into from
Nov 27, 2019

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Oct 30, 2019
edited
Loading

This migrates the dashboards from the Logstash ArcSight module into the Filebeat CEF module.

Breaking Change: The mapping for the cef.extension.* fields was changed from all keyword types to match the data types defined in the CEF guide. The decode_cef processor will convert the strings to the correct data type. If any value does not convert then that field is dropped and error.message is updated with info about the failure.

And because of the limit on field expansion in Elasticsearch queries the cef.extension.* fields are excluded from default_field in Filebeat's index template.

@andrewkroh andrewkroh added the Filebeat Filebeat label Oct 30, 2019
@andrewkroh andrewkroh force-pushed the feature/fb/cef-module-dashboards branch from 59559b7 to b0df5af Compare October 31, 2019 18:36
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@andrewkroh andrewkroh marked this pull request as ready for review October 31, 2019 18:38
@andrewkroh andrewkroh requested a review from a team as a code owner October 31, 2019 18:38
@andrewkroh andrewkroh force-pushed the feature/fb/cef-module-dashboards branch from a36306f to ca9a036 Compare November 14, 2019 15:27
@andrewkroh andrewkroh force-pushed the feature/fb/cef-module-dashboards branch from efc0791 to 715f046 Compare November 18, 2019 21:16
adriansr
adriansr approved these changes Nov 25, 2019
View reviewed changes
x-pack/filebeat/processors/decode_cef/cef/types.go Outdated Show resolved Hide resolved
CHANGELOG.next.asciidoc
@@ -401,6 +402,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add `index` option to all inputs to directly set a per-input index value. {pull}14010[14010]
- Remove beta flag for some filebeat modules. {pull}14374[14374]
- Add attack_pattern_kql field to MISP threat indicators. {pull}14470[14470]
- Add dashboards to the CEF module (ported from the Logstash ArcSight module).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dupe

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed

@andrewkroh
Import Arcsight module dashboards from Logstash
a154534 
Load dashboards to Kibana 8 via Logstash module setup.
Then use mage exportDashboard to download each of them to Beats.
@andrewkroh
Change index pattern from arcsight-* to filebeat-*
b6e0dfc
@andrewkroh
Make UUIDs unique from Logstash module
c64d6bf
@andrewkroh
Change [ArcSight] to [Filebeat CEF] in titles
1e07482
@andrewkroh
Fix dashboard IDs in navigation
40567aa
@andrewkroh
Update field names in dashboards
91b444f
@andrewkroh
Convert CEF extension value data types
d5c00a5 
Previously all of cef.extensions.* were string values. Now it uses the data types that are defined for each CEF field to do the translation within the processor. If the field is not the correct data type then the value is dropped from the event in order to avoid mapping exceptions at index time.
@andrewkroh
Add fields for ArcSight to the mapping
b4d37da 
These fields aren't specifically in CEF. They are commonly used in ArcSight.
@andrewkroh
Exclude cef.extension fields from default_field and update dashboards
182d087
@andrewkroh
Add descriptions to dashboards
9db7922
@andrewkroh
Add changelog
f0e53aa
@andrewkroh
Add PR number to change log
ce71f11
@andrewkroh
Fix translation of requestContext
c50085b
@andrewkroh
Update golden file
10c5dc4
@andrewkroh
Fix import / remove duplicate changelog entry
6f9d1b8
@andrewkroh andrewkroh force-pushed the feature/fb/cef-module-dashboards branch from 715f046 to 6f9d1b8 Compare November 25, 2019 20:17
@andrewkroh andrewkroh merged commit a77de0d into elastic:master Nov 27, 2019
@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Nov 27, 2019
@andrewkroh andrewkroh mentioned this pull request Jan 2, 2020
Merged
@andrewkroh andrewkroh added v7.6.0 and removed needs_backport PR is waiting to be backported to other branches. labels Jan 2, 2020
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Jan 8, 2020
@andrewkroh
[Filebeat] Add dashboards to CEF module (elastic#14342)
5575bfb 
* Import Arcsight module dashboards from Logstash

Load dashboards to Kibana 8 via Logstash module setup.
Then use mage exportDashboard to download each of them to Beats.

* Change index pattern from arcsight-* to filebeat-*

* Make UUIDs unique from Logstash module

* Change [ArcSight] to [Filebeat CEF] in titles

* Fix dashboard IDs in navigation

* Update field names in dashboards

* Convert CEF extension value data types

Previously all of cef.extensions.* were string values. Now it uses the data types that are defined for each CEF field to do the translation within the processor. If the field is not the correct data type then the value is dropped from the event in order to avoid mapping exceptions at index time.

* Add fields for ArcSight to the mapping

These fields aren't specifically in CEF. They are commonly used in ArcSight.

* Exclude cef.extension fields from default_field and update dashboards

* Add descriptions to dashboards

(cherry picked from commit a77de0d)
andrewkroh added a commit that referenced this pull request Jan 8, 2020
@andrewkroh
[Filebeat] Add dashboards to CEF module (#14342) (#15298)
bc2a790 
* Import Arcsight module dashboards from Logstash

Load dashboards to Kibana 8 via Logstash module setup.
Then use mage exportDashboard to download each of them to Beats.

* Change index pattern from arcsight-* to filebeat-*

* Make UUIDs unique from Logstash module

* Change [ArcSight] to [Filebeat CEF] in titles

* Fix dashboard IDs in navigation

* Update field names in dashboards

* Convert CEF extension value data types

Previously all of cef.extensions.* were string values. Now it uses the data types that are defined for each CEF field to do the translation within the processor. If the field is not the correct data type then the value is dropped from the event in order to avoid mapping exceptions at index time.

* Add fields for ArcSight to the mapping

These fields aren't specifically in CEF. They are commonly used in ArcSight.

* Exclude cef.extension fields from default_field and update dashboards

* Add descriptions to dashboards

(cherry picked from commit a77de0d)
@MarkSettleES
Copy link

@jamiesmith, I wanted to bring this to your attention because I recall getting your help last year with a screenshot of a dashboard of CEF-formatted data and figure that you might find it helpful to know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
breaking change Filebeat Filebeat review v7.6.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@andrewkroh @elasticmachine @MarkSettleES @adriansr @urso