[multiple integrations] Lowercase host.name field

[LaZyDK]

What does this PR do?

As defined in ECS 8.7, host.name is preferably lowercase.

It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.

The below integrations have been edited to support this.

Cisco Secure Endpoint

• Lowercase host.name

Cisco Umbrella

• Lowercase host.name

PANW Cortex XDR

• Lowercase host.name

PANW

• Lowercase host.name

Fortinet Fortigate

• Add event.type: denied when action is deny
• Add host field
• Lowercase host.name
• Fix MAC address format
• Add test

Microsoft DHCP

• Lowercase host.name
• remove dynamic_fields

Microsoft Defender Endpoint

• Lowercase host.name
• remove dynamic_fields

M365 Defender

• Incident

1. Add tests
2. Add host fields
3. Copy deviceDnsName to host.name
4. Lowercase host.name

• Alert:

1. Add host fields
2. Copy DeviceName to host.name in pipelines: alert, app and identity, device
3. Lowercase host.name

• Log:

1. Add host fields
2. Copy deviceDnsName to host.name
3. Lowercase host.name

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-05-24T08:11:27.659+0000

• Duration: 18 min 51 sec

Test stats 🧪

Test	Results
Failed	0
Passed	129
Skipped	0
Total	129

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[LaZyDK]

Ready for discussions and test

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[kcreddy]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (10/10)	💚
Files	100.0% (33/33)	💚
Classes	100.0% (33/33)	💚
Methods	95.139% (274/288)	👍 3.139
Lines	92.535% (11453/12377)	👎 -1.894
Conditionals	100.0% (0/0)	💚

[kcreddy]

/test

[LaZyDK]

Well that's some awkward test results for panw.

I am getting this locally:

--- Test results for package: panw - START ---
╭─────────┬─────────────┬───────────┬──────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                                    │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────────────────────────────────┼────────┼──────────────┤
│ panw    │ panos       │ pipeline  │ test-panw-panos-authentication-sample.log    │ PASS   │   48.51725ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-config-sample.log            │ PASS   │    6.00225ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-correlated-events-sample.log │ PASS   │  15.830709ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-decryption-sample.log        │ PASS   │  18.005458ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-globalprotect-sample.log     │ PASS   │     34.052ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-gtp-sample.log               │ PASS   │   5.512625ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-hipmatch-sample.log          │ PASS   │   4.934625ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-inc-other-sample.log         │ PASS   │  17.633458ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-inc-threat-sample.log        │ PASS   │  85.674084ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-inc-traffic-sample.log       │ PASS   │  93.949667ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-inc-traffic.json             │ PASS   │  10.136167ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-ip-tag-sample.log            │ PASS   │   3.899834ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-sctp-sample.log              │ PASS   │   3.654917ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-system-sample.log            │ PASS   │   3.894459ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-threat-sample.log            │ PASS   │   103.6335ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-traffic-sample.log           │ PASS   │  91.255583ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-tunnel-inspection-sample.log │ PASS   │   5.151458ms │
│ panw    │ panos       │ pipeline  │ test-panw-panos-userid-sample.log            │ PASS   │  16.124375ms │
╰─────────┴─────────────┴───────────┴──────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: panw - END   ---
Done

--- Test results for package: panw - START ---
╭─────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ panw    │ panos       │ system    │ logfile   │ PASS   │ 38.838056667s │
│ panw    │ panos       │ system    │ tcp       │ PASS   │ 24.517048291s │
│ panw    │ panos       │ system    │ udp       │ PASS   │ 24.565975292s │
│ panw    │ panos       │ system    │ udp-tz    │ PASS   │ 24.312194666s │
│ panw    │ panos       │ system    │ tls       │ PASS   │ 27.659064584s │
╰─────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: panw - END   ---

[LaZyDK]

Found the error. Generating new test results and will commit when done.

[LaZyDK]

Ready for another test

[LaZyDK]

Any updates regarding this? Do we have blockers?

[efd6]

/test

[efd6]

Minor nits, then LGTM. Will also wait for approval from @jamiehynds.

[kcreddy]

/test

[efd6]

/test

[jamiehynds]

LGTM

[kcreddy]

/test

[P1llus]

Just as a note for the reviewers, this will temporarily start creating duplicate host entries, because hostnames that was not previously lowercase, will now become that, which will conflict with things like SIEM rules that aggregates on hostname etc, for a short time period. This is however a healthy change for the future of the users. Should get a thumbs up from @jamiehynds as well.

@P1llus when you say a short period of time, do we know how long any impacted hostnames (i.e. not currently lowercase) will remain an issue? It's short term pain for long term gain, but might be worth creating a brief article for Support, to get ahead of issues that arise from the change. FYI @jamesspi based on the SIEM impact.

Hard to say, depends on the usecase and how long its used:

1. Transforms without any maximum age.
2. ML trained models for entity analytics or anything host based.
3. Anything custom (rules, transforms etc).

I feel we should still merge, but its just good to know. The current status before we merge, is that it causes issues already due to the mix of lower/upper case, so its fixing much more.

[P1llus]

/test

[kcreddy]

LGTM

[elasticmachine]

Package cisco_secure_endpoint - 2.12.0 containing this change is available at https://epr.elastic.co/search?package=cisco_secure_endpoint

[elasticmachine]

Package cisco_umbrella - 1.12.0 containing this change is available at https://epr.elastic.co/search?package=cisco_umbrella

[elasticmachine]

Package fortinet_fortigate - 1.11.0 containing this change is available at https://epr.elastic.co/search?package=fortinet_fortigate

[elasticmachine]

Package m365_defender - 1.9.0 containing this change is available at https://epr.elastic.co/search?package=m365_defender

[elasticmachine]

Package microsoft_defender_endpoint - 2.11.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_defender_endpoint

[elasticmachine]

Package microsoft_dhcp - 1.12.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_dhcp

[elasticmachine]

Package panw - 3.8.0 containing this change is available at https://epr.elastic.co/search?package=panw

[elasticmachine]

Package panw_cortex_xdr - 1.10.0 containing this change is available at https://epr.elastic.co/search?package=panw_cortex_xdr