New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[cisco_ftd] Add network and dns ECS fields #5522
Conversation
packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
/test |
…ne/default.yml Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
🌐 Coverage report
|
file-detected events should not be alert kind
In line with 430005 events that are not malware.
According to ECS
I need help fixing usernames from FTD integrated with Passive Authentication. The string can be a custom description of the domain used for user lookup, but it is not required to be an actual domain name. (Eg. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pipeline test expects need to be updated for this.
Also needs additions to fields/ecs.yml:
[0] field "dns.question.registered_domain" is undefined
[1] field "dns.question.subdomain" is undefined
[2] field "dns.question.top_level_domain" is undefined
packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
For #5522 (comment) do you have examples where they would differ and how that would cause an issue? |
…ne/default.yml Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
I cannot comprehend the different options here, hence me asking.
|
Yeah, you really need to glean that on a case-by-case basis from the Cisco documentation. |
/test |
My mistake. |
/test |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Needs an |
Ready for review |
/test |
should be good now |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you provide test cases for the new event.outcome
classifications?
...es/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json
Outdated
Show resolved
Hide resolved
packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
Added test case for |
Added test cases for event.outcome "trust" and "block with reset". |
I found another value for |
Fixed with this: https://github.com/elastic/integrations/pull/5522/files#diff-753433e478ec043eaee29b5dcd39b3f7153a0f858323be73401e0e1aab3e7255R2137 |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with minor nit.
packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json
Outdated
Show resolved
Hide resolved
Minor nit removed. All good from here. Ready to go. |
Package cisco_ftd - 2.9.2 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd |
What does this PR do?
This will sum up
source.bytes
anddestination.bytes
intonetwork.bytes
, along with extractingdns.question.registered_domain
fromdns.question.name
.user.name
will be removed if the string is "Not Found".Checklist
changelog.yml
file.