-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[cisco_umbrella] Add DLP and Intrusion logs for SIG users #5716
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some small nitpick, can see if I can help out here.
I can also confirm that indeed the CSVs for auditlog are multiline, and in quite a few different format types.
Since we do not have system tests for S3 inputs we would have to test this manually.
- remove: | ||
field: user.email | ||
if: ctx.user?.email == "null" | ||
- remove: | ||
field: user.id | ||
if: ctx.user?.id == "null" | ||
- remove: | ||
field: user.name | ||
if: ctx.user?.name == "null" | ||
# Remove user field if present and empty | ||
- remove: | ||
field: | ||
- user | ||
if: ctx.user instanceof Map && ctx.user.size() == 0 | ||
ignore_failure: true | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we have to go back to where these are populated and create better logic for when not to populate those fields.
We also try to not use ignore_failure
(ignore_missing
is fine)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are populated by the audit log - so we should go back to Cisco to fix fields containing the string "null". 🥇
I can remove the ignore_failure
real fast.
/test |
🌐 Coverage report
|
/test |
I will deliver small edits to |
Ready for comments. |
packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
…ipeline/default.yml Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
/test |
All tests are passing locally on my machine. |
Needs a field definition. In "static test: Verify sample_event.json – cisco_umbrella.log"
This isn't being generated anymore, so you removed it from fields.yml, but it's still in the sample event. So you'll need to rerun |
By some reason, the sample_event.json is never regenerated. Not even if I fill in the file with |
Turns out there are no system tests. This means that the sample event was hand constructed or added. I'm in two (three?) minds; the options are to remove the sample event and update the docs, hand correct the event (not ideal), obtain a real sample event and replace with that (also not ideal but probably better). Writing a system test is not really feasible since s3 is the only input. I think I'd be OK with a combination of 2. and 3. where you've checked that a hand edited sample is valid when compared to a real event. |
New sample event, but with more information. |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
Package cisco_umbrella - 1.9.0 containing this change is available at https://epr.elastic.co/search?package=cisco_umbrella |
What does this PR do?
Added DLP logs, Intrusion logs and Firewall logs for Umbrella SIG users.
https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning
Fixes audit logs being multiline.
Added
event.severity
,event.action
,event.kind
,event.category
andevent.type
.Proxylogs will now show up in
SIEM -> Network -> HTTP
as more HTTP ECS fields are used.User identities is now in
user.name
.Host identities is now in
host.name
.Network identities is now in
network.name
.Added found FQDNs to
related.hosts
.Added files hashes from DLP logs to
related.hash
.user_agent.original
is now processed.Checklist
changelog.yml
file.