diff --git a/packages/microsoft_defender_endpoint/_dev/build/build.yml b/packages/microsoft_defender_endpoint/_dev/build/build.yml index c8eeec8cacf3..49e8fdaa97d9 100644 --- a/packages/microsoft_defender_endpoint/_dev/build/build.yml +++ b/packages/microsoft_defender_endpoint/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@v8.9.0 + reference: git@v8.10.0 diff --git a/packages/microsoft_defender_endpoint/changelog.yml b/packages/microsoft_defender_endpoint/changelog.yml index 100b5b131a45..2bab0cb0ca2c 100644 --- a/packages/microsoft_defender_endpoint/changelog.yml +++ b/packages/microsoft_defender_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.19.0" + changes: + - description: Update package to ECS 8.10.0 and align ECS categorization fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/7929 - version: "2.18.0" changes: - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. diff --git a/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json b/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json index fe6e80319a9f..141c0e2b1b36 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json +++ b/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json @@ -11,7 +11,7 @@ "provider": "azure" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "event": { "action": "Malware", @@ -92,7 +92,7 @@ "provider": "azure" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "event": { "action": "DefenseEvasion", @@ -111,7 +111,6 @@ "start": "2020-06-30T09:04:56.8490679Z", "timezone": "UTC", "type": [ - "creation", "start" ] }, @@ -196,7 +195,7 @@ "provider": "azure" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "event": { "action": "DefenseEvasion", @@ -214,8 +213,7 @@ "start": "2020-06-30T09:04:56.8490679Z", "timezone": "UTC", "type": [ - "user", - "creation", + "access", "start" ] }, @@ -282,7 +280,7 @@ "provider": "azure" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "event": { "action": "Malware", diff --git a/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml index fe298f38457b..f28b994bf6d8 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing Microsoft Defender for Endpoint logs processors: - set: field: ecs.version - value: '8.9.0' + value: '8.10.0' - rename: field: message target_field: event.original @@ -103,12 +103,11 @@ processors: if: ctx.json?.evidence?.entityType == 'Process' - append: field: event.type - value: user + value: access if: ctx.json?.evidence?.entityType == 'User' - append: field: event.type value: - - creation - start if: ctx.json?.status == 'New' - append: diff --git a/packages/microsoft_defender_endpoint/data_stream/log/sample_event.json b/packages/microsoft_defender_endpoint/data_stream/log/sample_event.json index 447c114d0102..1ba053de4661 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/sample_event.json +++ b/packages/microsoft_defender_endpoint/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-07-24T14:20:13.467Z", + "@timestamp": "2023-09-22T03:31:55.887Z", "agent": { - "ephemeral_id": "6602c8b6-3007-4b99-8871-28728195e542", - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "ephemeral_id": "20bd2ad7-6c7e-4d34-9d55-57edc09ba1a6", + "id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.8.1" }, "cloud": { "account": { @@ -22,12 +22,12 @@ "type": "logs" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "elastic_agent": { - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b", "snapshot": false, - "version": "8.8.2" + "version": "8.8.1" }, "event": { "action": "Execution", @@ -40,15 +40,14 @@ "duration": 101466100, "end": "2021-01-26T20:31:33.0577322Z", "id": "da637472900382838869_1364969609", - "ingested": "2023-07-24T14:20:16Z", + "ingested": "2023-09-22T03:31:58Z", "kind": "alert", "provider": "defender_endpoint", "severity": 2, "start": "2021-01-26T20:31:32.9562661Z", "timezone": "UTC", "type": [ - "user", - "creation", + "access", "start" ] }, diff --git a/packages/microsoft_defender_endpoint/docs/README.md b/packages/microsoft_defender_endpoint/docs/README.md index 00b885d6ad7e..9a949c338090 100644 --- a/packages/microsoft_defender_endpoint/docs/README.md +++ b/packages/microsoft_defender_endpoint/docs/README.md @@ -47,13 +47,13 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2023-07-24T14:20:13.467Z", + "@timestamp": "2023-09-22T03:31:55.887Z", "agent": { - "ephemeral_id": "6602c8b6-3007-4b99-8871-28728195e542", - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "ephemeral_id": "20bd2ad7-6c7e-4d34-9d55-57edc09ba1a6", + "id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.8.1" }, "cloud": { "account": { @@ -70,12 +70,12 @@ An example event for `log` looks as following: "type": "logs" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "elastic_agent": { - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b", "snapshot": false, - "version": "8.8.2" + "version": "8.8.1" }, "event": { "action": "Execution", @@ -88,15 +88,14 @@ An example event for `log` looks as following: "duration": 101466100, "end": "2021-01-26T20:31:33.0577322Z", "id": "da637472900382838869_1364969609", - "ingested": "2023-07-24T14:20:16Z", + "ingested": "2023-09-22T03:31:58Z", "kind": "alert", "provider": "defender_endpoint", "severity": 2, "start": "2021-01-26T20:31:32.9562661Z", "timezone": "UTC", "type": [ - "user", - "creation", + "access", "start" ] }, diff --git a/packages/microsoft_defender_endpoint/manifest.yml b/packages/microsoft_defender_endpoint/manifest.yml index 03142746948e..9ddbbc903b72 100644 --- a/packages/microsoft_defender_endpoint/manifest.yml +++ b/packages/microsoft_defender_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.11.0 name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint -version: "2.18.0" +version: "2.19.0" description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent. categories: - "security"