[Cloud Posture] Findings datastream mapping #3775
Conversation
kfirpeled
added
enhancement
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
|
/test |
🌐 Coverage report
|
| - description: Adjust findings data-stream mappings to fit ECS conventions | ||
| type: enhancement | ||
| link: https://github.com/elastic/integrations/pull/3775 | ||
| - description: Turned off dynamic mappings of findings data-stream | ||
| type: enhancement | ||
| link: https://github.com/elastic/integrations/pull/3775 | ||
| - description: Added default pipeline to findings data-stream | ||
| type: enhancement | ||
| link: https://github.com/elastic/integrations/pull/3775 |
There was a problem hiding this comment.
I'm not sure listing the same PR multiple times is encouraged.
| - description: Adjust findings data-stream mappings to fit ECS conventions | |
| type: enhancement | |
| link: https://github.com/elastic/integrations/pull/3775 | |
| - description: Turned off dynamic mappings of findings data-stream | |
| type: enhancement | |
| link: https://github.com/elastic/integrations/pull/3775 | |
| - description: Added default pipeline to findings data-stream | |
| type: enhancement | |
| link: https://github.com/elastic/integrations/pull/3775 | |
| - description: | | |
| Adjust findings data-stream mappings to fit ECS conventions | |
| Turned off dynamic mappings of findings data-stream | |
| Added default pipeline to findings data-stream | |
| type: enhancement | |
| link: https://github.com/elastic/integrations/pull/3775 |
There was a problem hiding this comment.
saw several packages doing the same in their changelog, thought to give it a try
There was a problem hiding this comment.
tbh, my previous try with version 0.0.19 combining multiple prs to the same changelog was not a successful one. Because of the post-merge process happens when the version is being create for the first time, it is not being updated afterwards
| - name: event.ingested | ||
| external: ecs | ||
| type: date | ||
| - name: file.accessed |
There was a problem hiding this comment.
maybe add a comment and link https://github.com/elastic/cloudbeat/blob/main/resources/fetchers/file_system_fetcher.go#L58-L74
| - name: message | ||
| external: ecs | ||
| type: match_only_text | ||
| - name: process.args |
There was a problem hiding this comment.
There was a problem hiding this comment.
or was this file purely autogenerated? In this case let's not edit it
There was a problem hiding this comment.
semi-auto generated, the ecs generator is half-way through to get this file format
I assume this file is going to be fully auto generated
I saw osquery did their own tool, could be a good idea for us as well going forward
https://github.com/elastic/integrations/blob/main/packages/osquery_manager/data_stream/result/fields/ecs.yml
| Examples of data sources that would populate the rule fields include: network | ||
| admission control platforms, network or host IDS/IPS, network firewalls, web | ||
| application firewalls, url filters, endpoint detection and response (EDR) systems, |
There was a problem hiding this comment.
maybe this could be specified for us (if not autogenerated)
There was a problem hiding this comment.
So I copy-pasted from the generated code
I didn't try to follow if the documentation being created out of it.
I guess you are correct but I'd leave that out-of-scope and we'll deal with that later on
Assuming the official ECS documentation is good enough for now
| default_field: false | ||
| - name: tags | ||
| level: extended | ||
| type: keyword |
There was a problem hiding this comment.
tags is a list isn't it? Is this the way to map list of keywords?
There was a problem hiding this comment.
when I was using type: array the mapping was working as expected.
I was googling and based on the following answer https://stackoverflow.com/questions/43530610/how-to-do-a-mapping-of-array-of-strings-in-elasticsearch
it seems that type: keyword is good enough
And looking on ECS base fields they do the same for the tags field:
https://www.elastic.co/guide/en/ecs/current/ecs-base.html#field-tags
|
@ofiriro3 @tehilashn we may need to do the same for the new EKS fetchers, are they introducing any new fields? besides the raw resource? |
|
@oren-zohar No new fields, only the raw resource |
What does this PR do?
In the following PR we've adjusted the findings mappings.
This means that from now on we opt-in which fields we index in the findings being sent by
cloudbeatChecklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
To test this PR I recommend building the package locally and use it, send data using
cloudbeatand check that all fields have the correct mappingsRelated issues
Screenshots