Skip to content

Commit

Permalink
[ECS] Updating microsoft_defender_endpoint to ECS 8.10 & ECS field va…
Browse files Browse the repository at this point in the history 
…lidation updates (#7929)

* Correcting ecs field validation & updating to ecs 8.10

* Update changelog.yml

* updating docs
  • Loading branch information
@kgeller
kgeller committed Sep 22, 2023
1 parent 2b74cc9 commit a1a2bf5
Show file tree
Hide file tree
Showing 7 changed files with 32 additions and 32 deletions.
2 changes: 1 addition & 1 deletion packages/microsoft_defender_endpoint/_dev/build/build.yml
View file
@@ -1,3 +1,3 @@
dependencies:
ecs:
reference: git@v8.9.0
reference: git@v8.10.0
5 changes: 5 additions & 0 deletions packages/microsoft_defender_endpoint/changelog.yml
View file
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.19.0"
changes:
- description: Update package to ECS 8.10.0 and align ECS categorization fields.
type: enhancement
link: https://github.com/elastic/integrations/pull/7929
- version: "2.18.0"
changes:
- description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
Expand Down
12 changes: 5 additions & 7 deletions ...t_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json
View file
Expand Up @@ -11,7 +11,7 @@
"provider": "azure"
},
"ecs": {
"version": "8.9.0"
"version": "8.10.0"
},
"event": {
"action": "Malware",
Expand Down Expand Up @@ -92,7 +92,7 @@
"provider": "azure"
},
"ecs": {
"version": "8.9.0"
"version": "8.10.0"
},
"event": {
"action": "DefenseEvasion",
Expand All @@ -111,7 +111,6 @@
"start": "2020-06-30T09:04:56.8490679Z",
"timezone": "UTC",
"type": [
"creation",
"start"
]
},
Expand Down Expand Up @@ -196,7 +195,7 @@
"provider": "azure"
},
"ecs": {
"version": "8.9.0"
"version": "8.10.0"
},
"event": {
"action": "DefenseEvasion",
Expand All @@ -214,8 +213,7 @@
"start": "2020-06-30T09:04:56.8490679Z",
"timezone": "UTC",
"type": [
"user",
"creation",
"access",
"start"
]
},
Expand Down Expand Up @@ -282,7 +280,7 @@
"provider": "azure"
},
"ecs": {
"version": "8.9.0"
"version": "8.10.0"
},
"event": {
"action": "Malware",
Expand Down
5 changes: 2 additions & 3 deletions ...ges/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Expand Up @@ -3,7 +3,7 @@ description: Pipeline for parsing Microsoft Defender for Endpoint logs
processors:
- set:
field: ecs.version
value: '8.9.0'
value: '8.10.0'
- rename:
field: message
target_field: event.original
Expand Down Expand Up @@ -103,12 +103,11 @@ processors:
if: ctx.json?.evidence?.entityType == 'Process'
- append:
field: event.type
value: user
value: access
if: ctx.json?.evidence?.entityType == 'User'
- append:
field: event.type
value:
- creation
- start
if: ctx.json?.status == 'New'
- append:
Expand Down
19 changes: 9 additions & 10 deletions packages/microsoft_defender_endpoint/data_stream/log/sample_event.json
View file
@@ -1,11 +1,11 @@
{
"@timestamp": "2023-07-24T14:20:13.467Z",
"@timestamp": "2023-09-22T03:31:55.887Z",
"agent": {
"ephemeral_id": "6602c8b6-3007-4b99-8871-28728195e542",
"id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300",
"ephemeral_id": "20bd2ad7-6c7e-4d34-9d55-57edc09ba1a6",
"id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.2"
"version": "8.8.1"
},
"cloud": {
"account": {
Expand All @@ -22,12 +22,12 @@
"type": "logs"
},
"ecs": {
"version": "8.9.0"
"version": "8.10.0"
},
"elastic_agent": {
"id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300",
"id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b",
"snapshot": false,
"version": "8.8.2"
"version": "8.8.1"
},
"event": {
"action": "Execution",
Expand All @@ -40,15 +40,14 @@
"duration": 101466100,
"end": "2021-01-26T20:31:33.0577322Z",
"id": "da637472900382838869_1364969609",
"ingested": "2023-07-24T14:20:16Z",
"ingested": "2023-09-22T03:31:58Z",
"kind": "alert",
"provider": "defender_endpoint",
"severity": 2,
"start": "2021-01-26T20:31:32.9562661Z",
"timezone": "UTC",
"type": [
"user",
"creation",
"access",
"start"
]
},
Expand Down
19 changes: 9 additions & 10 deletions packages/microsoft_defender_endpoint/docs/README.md
View file
Expand Up @@ -47,13 +47,13 @@ An example event for `log` looks as following:

```json
{
"@timestamp": "2023-07-24T14:20:13.467Z",
"@timestamp": "2023-09-22T03:31:55.887Z",
"agent": {
"ephemeral_id": "6602c8b6-3007-4b99-8871-28728195e542",
"id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300",
"ephemeral_id": "20bd2ad7-6c7e-4d34-9d55-57edc09ba1a6",
"id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.2"
"version": "8.8.1"
},
"cloud": {
"account": {
Expand All @@ -70,12 +70,12 @@ An example event for `log` looks as following:
"type": "logs"
},
"ecs": {
"version": "8.9.0"
"version": "8.10.0"
},
"elastic_agent": {
"id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300",
"id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b",
"snapshot": false,
"version": "8.8.2"
"version": "8.8.1"
},
"event": {
"action": "Execution",
Expand All @@ -88,15 +88,14 @@ An example event for `log` looks as following:
"duration": 101466100,
"end": "2021-01-26T20:31:33.0577322Z",
"id": "da637472900382838869_1364969609",
"ingested": "2023-07-24T14:20:16Z",
"ingested": "2023-09-22T03:31:58Z",
"kind": "alert",
"provider": "defender_endpoint",
"severity": 2,
"start": "2021-01-26T20:31:32.9562661Z",
"timezone": "UTC",
"type": [
"user",
"creation",
"access",
"start"
]
},
Expand Down
2 changes: 1 addition & 1 deletion packages/microsoft_defender_endpoint/manifest.yml
View file
@@ -1,7 +1,7 @@
format_version: 2.11.0
name: microsoft_defender_endpoint
title: Microsoft Defender for Endpoint
version: "2.18.0"
version: "2.19.0"
description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent.
categories:
- "security"
Expand Down

0 comments on commit a1a2bf5

Please sign in to comment.