Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ECS to 8.5.2 #322

Merged
merged 3 commits into from
Nov 29, 2022
Merged

Update ECS to 8.5.2 #322

merged 3 commits into from
Nov 29, 2022

Conversation

kevinlog
Copy link
Contributor

@kevinlog kevinlog commented Nov 29, 2022
edited
Loading

Change Summary

Update the ECS version that Endpoint pulls in to 8.5.2. This is primarily done to get the updated field type for env_vars.

Sample values

    "env_vars": [
      "NICK=test",
      "OTHER=why"
    ],

Sample document:

{
  "@timestamp": "2022-11-29T20:16:45.9250502Z",
  "agent": {
    "id": "13146eac-6aa0-4332-86d7-21575ed20003",
    "type": "endpoint",
    "version": "8.6.0"
  },
  "data_stream": {
    "dataset": "endpoint.events.process",
    "namespace": "default",
    "type": "logs"
  },
  "ecs": {
    "version": "1.11.0"
  },
  "elastic": {
    "agent": {
      "id": "13146eac-6aa0-4332-86d7-21575ed20003"
    }
  },
  "event": {
    "action": "end",
    "category": [
      "process"
    ],
    "created": "2022-11-29T20:16:45.9250502Z",
    "dataset": "endpoint.events.process",
    "id": "MsIOUUNct/5WrYET+++++lrj",
    "kind": "event",
    "module": "endpoint",
    "sequence": 182036,
    "type": [
      "end"
    ]
  },
  "group": {
    "Ext": {
      "real": {
        "id": 1000,
        "name": "ubuntu"
      }
    },
    "id": 1000,
    "name": "ubuntu"
  },
  "host": {
    "architecture": "x86_64",
    "hostname": "ip-172-31-43-131",
    "id": "ec26a1ec5202d364ef6a05e10e414002",
    "ip": [
      "127.0.0.1",
      "::1",
      "172.31.43.131",
      "fe80::8b6:e0ff:fe0b:3b80"
    ],
    "mac": [
      "0a:b6:e0:0b:3b:80"
    ],
    "name": "ip-172-31-43-131",
    "os": {
      "Ext": {
        "variant": "Ubuntu"
      },
      "family": "ubuntu",
      "full": "Ubuntu 20.04.5",
      "kernel": "5.15.0-1022-aws #26~20.04.1-Ubuntu SMP Sat Oct 15 03:22:07 UTC 2022",
      "name": "Linux",
      "platform": "ubuntu",
      "type": "linux",
      "version": "20.04.5"
    }
  },
  "message": "Endpoint process event",
  "process": {
    "Ext": {
      "ancestry": [
        "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4NzM5LTE2Njk3NTI5NTM=",
        "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4NzM4LTE2Njk3NTI5NTM=",
        "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4NjIyLTE2Njk3NTI5NTE=",
        "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTcyNy0xNjY5NjY0NDM2",
        "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTEtMTY2OTY2NDM4MA=="
      ]
    },
    "args": [
      "sleep",
      "10"
    ],
    "args_count": 2,
    "command_line": "sleep 10",
    "end": "2022-11-29T20:16:45.9250502Z",
    "entity_id": "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4ODkwLTE2Njk3NTI5OTU=",
    "entry_leader": {
      "args": [
        "-bash"
      ],
      "args_count": 1,
      "entity_id": "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4NzM5LTE2Njk3NTI5NTM=",
      "entry_meta": {
        "source": {
          "ip": "73.134.228.157"
        },
        "type": "sshd"
      },
      "executable": "/bin/bash",
      "group": {
        "id": 1000,
        "name": "ubuntu"
      },
      "interactive": true,
      "name": "bash",
      "parent": {
        "entity_id": "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4NzM4LTE2Njk3NTI5NTM=",
        "pid": 18738,
        "start": "2022-11-29T20:15:53.47Z"
      },
      "pid": 18739,
      "real_group": {
        "id": 1000,
        "name": "ubuntu"
      },
      "real_user": {
        "id": 1000,
        "name": "ubuntu"
      },
      "same_as_process": false,
      "start": "2022-11-29T20:15:53.59Z",
      "supplemental_groups": [
        {
          "id": 4,
          "name": "adm"
        },
        {
          "id": 20,
          "name": "dialout"
        },
        {
          "id": 24,
          "name": "cdrom"
        },
        {
          "id": 25,
          "name": "floppy"
        },
        {
          "id": 27,
          "name": "sudo"
        },
        {
          "id": 29,
          "name": "audio"
        },
        {
          "id": 30,
          "name": "dip"
        },
        {
          "id": 44,
          "name": "video"
        },
        {
          "id": 46,
          "name": "plugdev"
        },
        {
          "id": 117,
          "name": "netdev"
        },
        {
          "id": 118,
          "name": "lxd"
        }
      ],
      "tty": {
        "char_device": {
          "major": 136,
          "minor": 0
        }
      },
      "user": {
        "id": 1000,
        "name": "ubuntu"
      },
      "working_directory": "/home/ubuntu"
    },
    "env_vars": [
      "NICK=test",
      "OTHER=why"
    ],
    "executable": "/usr/bin/sleep",
    "exit_code": 0,
    "group": {
      "id": 1000,
      "name": "ubuntu"
    },
    "group_leader": {
      "args": [
        "sleep",
        "10"
      ],
      "args_count": 2,
      "entity_id": "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4ODkwLTE2Njk3NTI5OTU=",
      "executable": "/usr/bin/sleep",
      "group": {
        "id": 1000,
        "name": "ubuntu"
      },
      "interactive": true,
      "name": "sleep",
      "pid": 18890,
      "real_group": {
        "id": 1000,
        "name": "ubuntu"
      },
      "real_user": {
        "id": 1000,
        "name": "ubuntu"
      },
      "same_as_process": true,
      "start": "2022-11-29T20:16:35.9Z",
      "supplemental_groups": [
        {
          "id": 4,
          "name": "adm"
        },
        {
          "id": 20,
          "name": "dialout"
        },
        {
          "id": 24,
          "name": "cdrom"
        },
        {
          "id": 25,
          "name": "floppy"
        },
        {
          "id": 27,
          "name": "sudo"
        },
        {
          "id": 29,
          "name": "audio"
        },
        {
          "id": 30,
          "name": "dip"
        },
        {
          "id": 44,
          "name": "video"
        },
        {
          "id": 46,
          "name": "plugdev"
        },
        {
          "id": 117,
          "name": "netdev"
        },
        {
          "id": 118,
          "name": "lxd"
        }
      ],
      "tty": {
        "char_device": {
          "major": 136,
          "minor": 0
        }
      },
      "user": {
        "id": 1000,
        "name": "ubuntu"
      },
      "working_directory": "/home/ubuntu"
    },
    "hash": {
      "md5": "fcba58db24e5e3672c4d70a3bb01d7a4",
      "sha1": "cae542290d1bb5c91c637350e0a633f71fd2a6e4",
      "sha256": "45cf3208dc6704e806bbc5d776e884b5487744bd75171a93930c94e9b9b20ebb"
    },
    "interactive": true,
    "name": "sleep",
    "parent": {
      "args": [
        "-bash"
      ],
      "args_count": 1,
      "command_line": "-bash",
      "entity_id": "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4NzM5LTE2Njk3NTI5NTM=",
      "executable": "/bin/bash",
      "group": {
        "id": 1000,
        "name": "ubuntu"
      },
      "interactive": true,
      "name": "bash",
      "pid": 18739,
      "real_group": {
        "id": 1000,
        "name": "ubuntu"
      },
      "real_user": {
        "id": 1000,
        "name": "ubuntu"
      },
      "start": "2022-11-29T20:15:53.59Z",
      "supplemental_groups": [
        {
          "id": 4,
          "name": "adm"
        },
        {
          "id": 20,
          "name": "dialout"
        },
        {
          "id": 24,
          "name": "cdrom"
        },
        {
          "id": 25,
          "name": "floppy"
        },
        {
          "id": 27,
          "name": "sudo"
        },
        {
          "id": 29,
          "name": "audio"
        },
        {
          "id": 30,
          "name": "dip"
        },
        {
          "id": 44,
          "name": "video"
        },
        {
          "id": 46,
          "name": "plugdev"
        },
        {
          "id": 117,
          "name": "netdev"
        },
        {
          "id": 118,
          "name": "lxd"
        }
      ],
      "tty": {
        "char_device": {
          "major": 136,
          "minor": 0
        }
      },
      "user": {
        "id": 1000,
        "name": "ubuntu"
      },
      "working_directory": "/home/ubuntu"
    },
    "pid": 18890,
    "previous": [
      {
        "args": [
          "-bash"
        ],
        "args_count": 1,
        "executable": "/bin/bash"
      }
    ],
    "real_group": {
      "id": 1000,
      "name": "ubuntu"
    },
    "real_user": {
      "id": 1000,
      "name": "ubuntu"
    },
    "session_leader": {
      "args": [
        "-bash"
      ],
      "args_count": 1,
      "entity_id": "MTMxNDZlYWMtNmFhMC00MzMyLTg2ZDctMjE1NzVlZDIwMDAzLTE4NzM5LTE2Njk3NTI5NTM=",
      "executable": "/bin/bash",
      "group": {
        "id": 1000,
        "name": "ubuntu"
      },
      "interactive": true,
      "name": "bash",
      "pid": 18739,
      "real_group": {
        "id": 1000,
        "name": "ubuntu"
      },
      "real_user": {
        "id": 1000,
        "name": "ubuntu"
      },
      "same_as_process": false,
      "start": "2022-11-29T20:15:53.59Z",
      "supplemental_groups": [
        {
          "id": 4,
          "name": "adm"
        },
        {
          "id": 20,
          "name": "dialout"
        },
        {
          "id": 24,
          "name": "cdrom"
        },
        {
          "id": 25,
          "name": "floppy"
        },
        {
          "id": 27,
          "name": "sudo"
        },
        {
          "id": 29,
          "name": "audio"
        },
        {
          "id": 30,
          "name": "dip"
        },
        {
          "id": 44,
          "name": "video"
        },
        {
          "id": 46,
          "name": "plugdev"
        },
        {
          "id": 117,
          "name": "netdev"
        },
        {
          "id": 118,
          "name": "lxd"
        }
      ],
      "tty": {
        "char_device": {
          "major": 136,
          "minor": 0
        }
      },
      "user": {
        "id": 1000,
        "name": "ubuntu"
      },
      "working_directory": "/home/ubuntu"
    },
    "start": "2022-11-29T20:16:35.9Z",
    "supplemental_groups": [
      {
        "id": 4,
        "name": "adm"
      },
      {
        "id": 20,
        "name": "dialout"
      },
      {
        "id": 24,
        "name": "cdrom"
      },
      {
        "id": 25,
        "name": "floppy"
      },
      {
        "id": 27,
        "name": "sudo"
      },
      {
        "id": 29,
        "name": "audio"
      },
      {
        "id": 30,
        "name": "dip"
      },
      {
        "id": 44,
        "name": "video"
      },
      {
        "id": 46,
        "name": "plugdev"
      },
      {
        "id": 117,
        "name": "netdev"
      },
      {
        "id": 118,
        "name": "lxd"
      }
    ],
    "tty": {
      "char_device": {
        "major": 136,
        "minor": 0
      }
    },
    "user": {
      "id": 1000,
      "name": "ubuntu"
    },
    "working_directory": "/home/ubuntu"
  },
  "user": {
    "Ext": {
      "real": {
        "id": 1000,
        "name": "ubuntu"
      }
    },
    "id": 1000,
    "name": "ubuntu"
  }
}

Release Target

8.6.0

For mapping changes:

  • I ran make after making the schema changes, and committed all changes
  • If these field(s) are "exception"-able, I made a companion PR to Kibana adding it (see Readme)
  • If this is a metadata change, I also updated both transform destination schemas to match

@kevinlog kevinlog requested a review from a team as a code owner November 29, 2022 18:43
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 29, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-11-29T21:31:46.274+0000

  • Duration: 8 min 39 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@kevinlog
Copy link
Contributor Author

/test

lrishi
lrishi approved these changes Nov 29, 2022
View reviewed changes
Copy link

@lrishi lrishi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm 👍🏽

@kevinlog kevinlog changed the title Update ECS to 8.5.1 Update ECS to 8.5.2 Nov 29, 2022
@kevinlog kevinlog merged commit 21984ab into main Nov 29, 2022
@kevinlog kevinlog deleted the task/update-ecs branch November 29, 2022 22:17
kevinlog added a commit that referenced this pull request Nov 29, 2022
@kevinlog
Update ECS to 8.5.2 (#322)
53ce7d0
@kevinlog kevinlog mentioned this pull request Nov 29, 2022
Merged
kevinlog added a commit that referenced this pull request Nov 29, 2022
@kevinlog
[8.6][backport] Update ECS to 8.5.2 (#322) (#323)
0cdcba1
@elasticmachine
Copy link
Contributor

Package endpoint - 8.6.1 containing this change is available at https://epr.elastic.co/search?package=endpoint

@kevinlog kevinlog mentioned this pull request Feb 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lrishi lrishi lrishi approved these changes

@nicholasberlin nicholasberlin nicholasberlin approved these changes

@paul-tavares paul-tavares paul-tavares approved these changes

@joeypoon joeypoon Awaiting requested review from joeypoon joeypoon was automatically assigned from elastic/security-onboarding-and-lifecycle-mgt

@dasansol92 dasansol92 Awaiting requested review from dasansol92 dasansol92 was automatically assigned from elastic/security-onboarding-and-lifecycle-mgt

Assignees
No one assigned
Labels
v8.6.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kevinlog @elasticmachine @lrishi @nicholasberlin @paul-tavares