Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[network_traffic] Add missing field mappings in DNS and TLS #3078

Merged
merged 7 commits into from Apr 19, 2022
Merged

[network_traffic] Add missing field mappings in DNS and TLS #3078

merged 7 commits into from Apr 19, 2022

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Apr 12, 2022
edited

What does this PR do?

A user reported missing mappings for the following fields which caused a conflict with ECS data types.

  • dns.answers.ttl
  • tls.server.not_after
  • tls.server.not_before
  • tls.server.x509.not_after
  • tls.server.x509.not_before
  • tls.server.x509.version_number

dns.answers is an array of objects and IIUC elastic-package does not validate this data type. So I added the ECS dns.answer.* fields.

For tls we did not have a system test in place that generated tls.server fields so I added one. This uncovered some issues and inconsistencies between Agent 7.17 and 8.2.

  • Add mappings from ECS tls.*.
  • Remove tls.detailed.{client,server}_certificate (legacy/pre-ECS fields that are now duplicated into ECS fields).
  • Update dashboards to use tls.{client,server}.x509.* instead of tls.detailed.{client,server}_certificate.*.
  • Remove mappings for 'province'. Those fields was renamed in Packetbeat 7.9 to state_or_province (per ECS) ([Packetbeat] ECS 1.5 update beats#19167).

I also found some event.* fields that were not documented due to elastic/elastic-package#147.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

@andrewkroh andrewkroh requested a review from a team as a code owner April 12, 2022 21:37
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh andrewkroh force-pushed the network_traffic/bugfix/add-missing-field-mappings branch from 66975be to 8e42343 Compare April 12, 2022 21:38
@elasticmachine
Copy link

elasticmachine commented Apr 12, 2022
edited

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-04-13T21:54:43.886+0000

  • Duration: 67 min 48 sec

Test stats 🧪

Test Results
Failed 0
Passed 264
Skipped 0
Total 264

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@andrewkroh
Sort all ecs.yml by field name
985bd58 
[git-generate]
cd packages/network_traffic
for ds in $(ls data_stream); do yq -i '. | sort_by(.name)' data_stream/$ds/fields/ecs.yml; done
for ds in $(ls data_stream); do yq -i 'sort_keys(..)' data_stream/$ds/fields/ecs.yml; done
elastic-package format
@andrewkroh
Add missing dns.answers.* fields
9ccbd8b 
Arrays fields are not validated by elastic-package so these were missed.
@andrewkroh andrewkroh force-pushed the network_traffic/bugfix/add-missing-field-mappings branch from 52fd4d4 to 0223d65 Compare April 13, 2022 02:29
@andrewkroh
Add missing TLS field mappings
260c367 
Add another TLS test case to expose more TLS fields.
Import ECS mappings for all of `tls.*`.
Convert tls.*.x509.version_number to string
Remove unused tls.*.x509.version mapping
@andrewkroh andrewkroh force-pushed the network_traffic/bugfix/add-missing-field-mappings branch from 0223d65 to 089fce2 Compare April 13, 2022 02:59
@andrewkroh andrewkroh marked this pull request as draft April 13, 2022 04:34
@andrewkroh
Remove duplicated TLS fields from Packetbeat 7.17
08a52c9 
- Remove tls.detailed.{client,server}_certificate.
- Update dashboards to use tls.{client,server}.x509.* instead of tls.detailed.{client,server}_certificate.*
- Remove mappings for 'province'. Those fields was renamed in Packetbeat 7.9 to state_or_province (per ECS) (elastic/beats#19167).
@andrewkroh
Add missing event.* field mappings
95653d1
@andrewkroh
Update readme
1ae1ea0 
[git-generate]
cd packages/network_traffic
elastic-package build
@andrewkroh
Add changelog entry
eb38961 
[git-generate]
cd packages/network_traffic
elastic-package-changelog add-next -d "Add missing field mappings to DNS and TLS data streams." --type=bug --pr 3078
@andrewkroh andrewkroh force-pushed the network_traffic/bugfix/add-missing-field-mappings branch from 089fce2 to eb38961 Compare April 13, 2022 21:54
@andrewkroh andrewkroh marked this pull request as ready for review April 13, 2022 23:08
r00tu53r
r00tu53r approved these changes Apr 19, 2022
View reviewed changes
Copy link
Contributor

@r00tu53r r00tu53r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh andrewkroh merged commit f2e8a9f into elastic:main Apr 19, 2022
@andrewkroh andrewkroh mentioned this pull request May 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r00tu53r r00tu53r r00tu53r approved these changes

Assignees
No one assigned
Labels
bug Something isn't working Integration:Network Packet Capture
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@andrewkroh @elasticmachine @r00tu53r