Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add audit fileset to googlecloud module #15200

Merged
merged 23 commits into from Jan 4, 2020
Merged

Add audit fileset to googlecloud module #15200

merged 23 commits into from Jan 4, 2020

Conversation

alakahakai
Copy link

Add audit fileset to googlecloud module to support GCP audit log.

@alakahakai alakahakai requested a review from a team as a code owner December 19, 2019 01:33
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

webmat
webmat suggested changes Dec 20, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Up until ECS 1.3, event.type was reserved and should not have been used.

With ECS 1.4 we've started introducing the first allowed values for the 4 ECS categorization fields, event.type is one of them. If none of the values currently allowed per this new documentation section are fitting for this event source, the fields should be left empty for now.

Other than event.type, this LGTM though.

@alakahakai
Copy link
Author

alakahakai commented Dec 20, 2019
edited

Up until ECS 1.3, event.type was reserved and should not have been used.

With ECS 1.4 we've started introducing the first allowed values for the 4 ECS categorization fields, event.type is one of them. If none of the values currently allowed per this new documentation section are fitting for this event source, the fields should be left empty for now.

Other than event.type, this LGTM though.

I can leave these two fields empty: event.category and event.type.

However, currently for the googlecloud module, vpcflow fileset uses the following:

var categorizeEvent = new processor.AddFields({
        target: "event",
        fields: {
            category: "network_traffic",
            type: "flow",
        },
    });

And firewall fileset uses:

builder.Add("categorizeEvent", new processor.AddFields({
        target: "event",
        fields: {
            category: "firewall-rule",
            type: "firewall"
        },
    }));

So the audit fileset sets these fields to be somehow consistent.

@webmat
Copy link
Contributor

webmat commented Dec 23, 2019

@alakahakai Every time I've one of the reserved fields being used, I've warned that it would have to change eventually, and that the fields shouldn't be used. Many times this was ignored 🤷‍♂

If you leave it like this, you're setting yourself up to have to change this module as well, in the 7.x line.

@alakahakai
Copy link
Author

alakahakai commented Dec 24, 2019
edited

@alakahakai Every time I've one of the reserved fields being used, I've warned that it would have to change eventually, and that the fields shouldn't be used. Many times this was ignored 🤷‍♂

If you leave it like this, you're setting yourself up to have to change this module as well, in the 7.x line.

@webmat I will not set these two fields for now. Thanks.

@alakahakai alakahakai merged commit 1e2660f into elastic:master Jan 4, 2020
@alakahakai alakahakai mentioned this pull request Jan 7, 2020
Merged
alakahakai pushed a commit that referenced this pull request Jan 8, 2020
Cherry-pick #15200 to 7.x: Add audit fileset to googlecloud module (#…
84f8f5c 
…15362)

* Add audit fileset to googlecloud module (#15200)
@urso urso mentioned this pull request Feb 8, 2020
Merged
@andrewkroh andrewkroh mentioned this pull request Feb 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

@houndci-bot houndci-bot houndci-bot left review comments

@webmat webmat webmat approved these changes

@adriansr adriansr Awaiting requested review from adriansr

Assignees
No one assigned
Labels
Filebeat Filebeat module review v7.6.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@alakahakai @elasticmachine @webmat @andrewkroh @houndci-bot