-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trendmicro Integration #4471
Trendmicro Integration #4471
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
@emnp the license checks is passing now which is great! |
@P1llus , sorry :( I left to update some files. |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added as much as I could for a first review, we might need to require a bit more detailed README, and a few questions we still wonder about, but I am sure we can work it out!
Very much thanks for doing this PR, and I feel it already has pretty much everything we need! :)
"version": "8.4.0" | ||
}, | ||
"error": { | ||
"message": "For input string: \\\"\\\"" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This parsing seems to have errors?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got this when I test the pipeline but it worked well when I did system test and also when I tried to send the log file with elastic agent, it worked well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@emnp the issue seems to be in signature_id
which is being set to event.code
, but the value of event.code
is never populated in the pipeline. This is making signature_id
as empty string and causing pipeline test failures
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolved by changing pipeline tests log structure as it should be the step after cef_decode
processor
packages/trendmicro/_dev/deploy/docker/sample_logs/trendmicro.log
Outdated
Show resolved
Hide resolved
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/trendmicro/manifest.yml
Outdated
title: Trendmicro Deep Security logs | ||
description: Collect deep security logs | ||
inputs: | ||
- type: logfile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you change this from logfile
to filestream
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not clear with this one. Need to change logfile to filestream? I set it as logfile currently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@emnp Please refer here for filestream input. The config is very similar to log
input but its more efficient.
You will need to specify this in 2 places:
https://github.com/elastic/integrations/pull/4471/files#diff-5a93912aba1067c2a133245e39a2b8c338202478242669fa111607f603449eceR28
and
https://github.com/elastic/integrations/pull/4471/files#diff-79bde44df376a077217c8e85fa3e4e44cbf16aacb73ace2d101e4a7f4eb8d944R4
Refer existing integration:
- type: filestream |
And this one:
- input: filestream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolved by updating to filestream
/test |
Hello @P1llus, sorry for the delay. I've updated some files last night. Could you please help to check? |
/test |
/test |
🌐 Coverage report
|
/test |
@emnp Can you add an entry to .github/CODEOWNERS for this package? CI is failing otherwise. |
...es/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.log-expected.json
Outdated
Show resolved
Hide resolved
...dmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/application-control-event.yml
Outdated
Show resolved
Hide resolved
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/trendmicro/manifest.yml
Outdated
title: Trendmicro Deep Security logs | ||
description: Collect deep security logs | ||
inputs: | ||
- type: logfile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@emnp Please refer here for filestream input. The config is very similar to log
input but its more efficient.
You will need to specify this in 2 places:
https://github.com/elastic/integrations/pull/4471/files#diff-5a93912aba1067c2a133245e39a2b8c338202478242669fa111607f603449eceR28
and
https://github.com/elastic/integrations/pull/4471/files#diff-79bde44df376a077217c8e85fa3e4e44cbf16aacb73ace2d101e4a7f4eb8d944R4
Refer existing integration:
- type: filestream |
And this one:
- input: filestream |
packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-common-config.yml
Outdated
Show resolved
Hide resolved
processor: | ||
set: | ||
field: "{{_ingest._value.to}}" | ||
value: "{{_ingest._value.value}}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add ignore_missing
to avoid failure
...dmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/application-control-event.yml
Show resolved
Hide resolved
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
|
||
- remove: | ||
field: | ||
- cef |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add ignore_missing
|
||
- remove: | ||
field: | ||
- _tmp_copy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add ignore_missing
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/firewall-event.yml
Show resolved
Hide resolved
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as |
@kcreddy i think it might be good if we apply the last changes to the PR of thats okay? |
/test |
@emnp we have added the last changes needed before a merge, just wanted to check in with you that this is okay? Sorry for the unusual long waiting time here! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Package trendmicro - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=trendmicro |
What does this PR do?
Add integration for TrendMicro deep security logs.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots