[Filebeat][New Module] Zoom webhook module #20414
Conversation
P1llus
added
enhancement
in progress
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
|
CI is failing due to:
|
|
Need to fix a few more outputs from the test logs, but except that it should be pretty complete now. |
|
@andrewstucki didn't expect you to be this quick, was thinking about doing one final run through fields.yml and fix up some descriptions since plenty of them had been changed a bit. :) For the zoomroom bit, the fieldname is related to the webhook endpoint. So meeting endpoint ends up under zoom.meeting.* while the zoomroom endpoint then ends up with the unfortunate name of zoom.zoomroom.* . It does have a special relation to something called zoomroom though, its conference rooms with dedicated equipment connected to zoom, which has its on API endpoint. |
|
Okay now I think the fields.yml is ready for a review @andrewstucki :) Updated types and added better descriptions |
P1llus
added
review
and removed
in progress
There was a problem hiding this comment.
I've given the fields a quick look, and entered comments for some of the things I've seen. This is not a thorough review :-)
One thing of note, in ECS a community member has recently opened an ECS RFC (RFC 0003) to capture audit logs on random things in accounts like Zoom meetings, and other. The RFC is still in the very early stages, so no action needed for now. But just putting the idea out there, that there's a place coming in ECS for audit logs on "everything else" that doesn't have a clean place in ECS (as opposed to audit logs on files, users, etc) :-)
|
Will add in the last two comments tomorrow as they require a bit more work, but the rest should now have been marked resolved |
|
This should also wait for #20435 to be merged first, so that the new config items is added to the manifest, else the builds will fail. |
|
There has been a lot of changes into how similar fields are merged and how dates, timestamps, event.start/end and duration is calculated, so might need a fresh review. All the PR comments have been incorporated as well. |
|
Running some last tests on this and then it should be ready for one last review |
|
jenkins test this please |
|
@andrewkroh Added the SSL option, though the documentation for that is a bit more tricky, I don't think it would be sufficient to add in the docs for the common ssl options or? The input itself is using " Anything else needed to be reviewed for this module before we find it complete? |
|
Linking to the shared SSL docs should be fine, similar to what Okta does. The inputs that accept TLS connections use those docs. |
|
Jenkins test this please |
|
jenkins, test this |
|
In case CI issues persist for a while, locally the zoom tests are passing green: |
…t nosetests are now passing
…ut in PR comments
…fields.yml with less fields and merged multiple fields together
… the docs to reflect this as well
adriansr
force-pushed
the
filebeat_zoom_module_mvp
branch
from
c6a0394
to
a3db786
Compare
This PR creates a module and fileset for Zoom webhooks, allowing filebeat to ingest webhooks initiated from Zoom and map it to ECS. (cherry picked from commit 1a35f77)
* upstream/master: (362 commits) Add vendoring to Google Cloud Functions again (elastic#21070) [Elastic Agent] Add fleet.host.id for sending to endpoint. (elastic#21042) Do not need Google credentials before using it (elastic#21072) [Filebeat][New Module] Zoom webhook module (elastic#20414) Add support for GMT timezone offset in decode_cef (elastic#20993) Filebeat: Fix random error on harvester close (elastic#21048) Add ingress controller dashboards (elastic#21052) Fix loggers in composable module. (elastic#21047) [Ingest Manager] Increase kibana client timeout to 5 minutes (elastic#21037) Add changelog. (elastic#21041) [Elastic Agent] Add support for EQL based conditions (elastic#20994) Disable Kafka metricsets based on Jolokia (elastic#20989) Update apm agent (elastic#21031) Add container ECS fields in kubernetes metadata (elastic#20984) Sanitize event.host in Metricbeat (elastic#21022) Update api-keys.asciidoc - API key prerequisites (elastic#21026) [Filebeat][suricata] Map x509 for suricata/eve fileset (elastic#20973) [Filebeat][santa] Map x509 fields in santa module (elastic#20976) [Filebeat][fortinet] Map x509 ecs fields for fortinet fw fileset (elastic#20983) Bump zeek kerberos/ssl/x509 ecs version (elastic#21003) ...
* upstream/master: (364 commits) Add vendoring to Google Cloud Functions again (elastic#21070) [Elastic Agent] Add fleet.host.id for sending to endpoint. (elastic#21042) Do not need Google credentials before using it (elastic#21072) [Filebeat][New Module] Zoom webhook module (elastic#20414) Add support for GMT timezone offset in decode_cef (elastic#20993) Filebeat: Fix random error on harvester close (elastic#21048) Add ingress controller dashboards (elastic#21052) Fix loggers in composable module. (elastic#21047) [Ingest Manager] Increase kibana client timeout to 5 minutes (elastic#21037) Add changelog. (elastic#21041) [Elastic Agent] Add support for EQL based conditions (elastic#20994) Disable Kafka metricsets based on Jolokia (elastic#20989) Update apm agent (elastic#21031) Add container ECS fields in kubernetes metadata (elastic#20984) Sanitize event.host in Metricbeat (elastic#21022) Update api-keys.asciidoc - API key prerequisites (elastic#21026) [Filebeat][suricata] Map x509 for suricata/eve fileset (elastic#20973) [Filebeat][santa] Map x509 fields in santa module (elastic#20976) [Filebeat][fortinet] Map x509 ecs fields for fortinet fw fileset (elastic#20983) Bump zeek kerberos/ssl/x509 ecs version (elastic#21003) ...
…ne-2.0 * upstream/master: (44 commits) Update users.asciidoc (elastic#20802) (elastic#21108) Fix docker provider builder. (elastic#21118) [Elastic Agent] Add docker composable dynamic provider. (elastic#20842) Add new modules/filesets from rsa2elk for 7.10 (elastic#20820) Fix broken links to external websites (elastic#21061) [docs] typo in the command line (elastic#20799) [Filebeat] add panos type and sub_type (elastic#20912) Move the `compute_vm_scalset` to a light metricset and map the cloud metadata (elastic#21038) [Filebeat] Add support for Cloudtrail digest files (elastic#21086) Add metrics collection from cost explorer into aws/billing metricset (elastic#20527) Add vendoring to Google Cloud Functions again (elastic#21070) [Elastic Agent] Add fleet.host.id for sending to endpoint. (elastic#21042) Do not need Google credentials before using it (elastic#21072) [Filebeat][New Module] Zoom webhook module (elastic#20414) Add support for GMT timezone offset in decode_cef (elastic#20993) Filebeat: Fix random error on harvester close (elastic#21048) Add ingress controller dashboards (elastic#21052) Fix loggers in composable module. (elastic#21047) [Ingest Manager] Increase kibana client timeout to 5 minutes (elastic#21037) Add changelog. (elastic#21041) ...
What does this PR do?
This PR creates a module and fileset for Zoom webhooks, allowing filebeat to ingest webhooks initiated from Zoom and map it to ECS.
Why is it important?
Adds a new supported product to Filebeat.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist