-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cloud Posture] Findings datastream mapping #3775
Conversation
/test |
🌐 Coverage report
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice, some nits
- description: Adjust findings data-stream mappings to fit ECS conventions | ||
type: enhancement | ||
link: https://github.com/elastic/integrations/pull/3775 | ||
- description: Turned off dynamic mappings of findings data-stream | ||
type: enhancement | ||
link: https://github.com/elastic/integrations/pull/3775 | ||
- description: Added default pipeline to findings data-stream | ||
type: enhancement | ||
link: https://github.com/elastic/integrations/pull/3775 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure listing the same PR multiple times is encouraged.
- description: Adjust findings data-stream mappings to fit ECS conventions | |
type: enhancement | |
link: https://github.com/elastic/integrations/pull/3775 | |
- description: Turned off dynamic mappings of findings data-stream | |
type: enhancement | |
link: https://github.com/elastic/integrations/pull/3775 | |
- description: Added default pipeline to findings data-stream | |
type: enhancement | |
link: https://github.com/elastic/integrations/pull/3775 | |
- description: | | |
Adjust findings data-stream mappings to fit ECS conventions | |
Turned off dynamic mappings of findings data-stream | |
Added default pipeline to findings data-stream | |
type: enhancement | |
link: https://github.com/elastic/integrations/pull/3775 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
saw several packages doing the same in their changelog, thought to give it a try
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tbh, my previous try with version 0.0.19
combining multiple prs to the same changelog was not a successful one. Because of the post-merge process happens when the version is being create for the first time, it is not being updated afterwards
- name: event.ingested | ||
external: ecs | ||
type: date | ||
- name: file.accessed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add a comment and link https://github.com/elastic/cloudbeat/blob/main/resources/fetchers/file_system_fetcher.go#L58-L74
- name: message | ||
external: ecs | ||
type: match_only_text | ||
- name: process.args |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or was this file purely autogenerated? In this case let's not edit it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
semi-auto generated, the ecs generator is half-way through to get this file format
I assume this file is going to be fully auto generated
I saw osquery did their own tool, could be a good idea for us as well going forward
https://github.com/elastic/integrations/blob/main/packages/osquery_manager/data_stream/result/fields/ecs.yml
Examples of data sources that would populate the rule fields include: network | ||
admission control platforms, network or host IDS/IPS, network firewalls, web | ||
application firewalls, url filters, endpoint detection and response (EDR) systems, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe this could be specified for us (if not autogenerated)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I copy-pasted from the generated code
I didn't try to follow if the documentation being created out of it.
I guess you are correct but I'd leave that out-of-scope and we'll deal with that later on
Assuming the official ECS documentation is good enough for now
default_field: false | ||
- name: tags | ||
level: extended | ||
type: keyword |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tags is a list isn't it? Is this the way to map list of keywords?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when I was using type: array
the mapping was working as expected.
I was googling and based on the following answer https://stackoverflow.com/questions/43530610/how-to-do-a-mapping-of-array-of-strings-in-elasticsearch
it seems that type: keyword
is good enough
And looking on ECS base fields they do the same for the tags
field:
https://www.elastic.co/guide/en/ecs/current/ecs-base.html#field-tags
@ofiriro3 @tehilashn we may need to do the same for the new EKS fetchers, are they introducing any new fields? besides the raw resource? |
@oren-zohar No new fields, only the raw resource |
What does this PR do?
In the following PR we've adjusted the findings mappings.
This means that from now on we opt-in which fields we index in the findings being sent by
cloudbeat
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
To test this PR I recommend building the package locally and use it, send data using
cloudbeat
and check that all fields have the correct mappingsRelated issues
Screenshots