Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cisco_asa,cisco_ftd,microsoft_defender_endpoint,proofpoint_tap,slack: ensure event.type holds ECS-compliant values #7926

Closed
wants to merge 1 commit into from
Closed

cisco_asa,cisco_ftd,microsoft_defender_endpoint,proofpoint_tap,slack: ensure event.type holds ECS-compliant values #7926

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/cisco_asa/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.22.1"
changes:
- description: Ensure `event.type` is not set to ECS-noncompliant values.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- description: Ensure `event.type` is not set to ECS-noncompliant values.
- description: Ensure `event.type` is set to ECS-compliant values.

🤷 wdyt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about that, to avoid the double negative, but they're semantically non-overlapping. It looks like the point is moot, since I think this was fixed in work by @kgeller.

type: bugfix
link: https://github.com/elastic/integrations/pull/7926
- version: "2.22.0"
changes:
- description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
Expand Down
17 changes: 7 additions & 10 deletions ...s/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5122,8 +5122,7 @@
"severity": 5,
"timezone": "UTC",
"type": [
"info",
"change"
"info"
]
},
"host": {
Expand Down Expand Up @@ -5527,9 +5526,7 @@
"severity": 6,
"timezone": "UTC",
"type": [
"info",
"deletion",
"user"
"info"
]
},
"host": {
Expand Down Expand Up @@ -5679,7 +5676,7 @@
"severity": 4,
"timezone": "UTC",
"type": [
"error"
"info"
]
},
"host": {
Expand Down Expand Up @@ -5846,7 +5843,7 @@
"severity": 6,
"timezone": "UTC",
"type": [
"error"
"info"
]
},
"host": {
Expand Down Expand Up @@ -5895,7 +5892,7 @@
"severity": 6,
"timezone": "UTC",
"type": [
"error"
"info"
]
},
"host": {
Expand Down Expand Up @@ -5978,7 +5975,7 @@
"severity": 6,
"timezone": "UTC",
"type": [
"error"
"info"
]
},
"host": {
Expand Down Expand Up @@ -6020,7 +6017,7 @@
"severity": 6,
"timezone": "UTC",
"type": [
"error"
"info"
]
},
"host": {
Expand Down
11 changes: 0 additions & 11 deletions ...s/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -91,7 +90,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -165,7 +163,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -239,7 +236,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -313,7 +309,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -387,7 +382,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -461,7 +455,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -535,7 +528,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -609,7 +601,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -655,7 +646,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down Expand Up @@ -803,7 +793,6 @@
"timezone": "UTC",
"type": [
"connection",
"error",
"denied"
]
},
Expand Down
4 changes: 1 addition & 3 deletions packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6521,9 +6521,7 @@
"severity": 6,
"timezone": "UTC",
"type": [
"info",
"deletion",
"user"
"info"
]
},
"log": {
Expand Down
6 changes: 1 addition & 5 deletions packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2340,22 +2340,19 @@ processors:
- network
type:
- info
- change
error:
kind: event
outcome: failure
category:
- network
type:
- error
- info
deleted:
kind: event
category:
- network
type:
- info
- deletion
- user
creation:
kind: event
category:
Expand All @@ -2378,7 +2375,6 @@ processors:
- network
type:
- connection
- error
- denied
client-vpn-disconnected:
kind: event
Expand Down
14 changes: 7 additions & 7 deletions packages/cisco_asa/data_stream/log/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"agent": {
"ephemeral_id": "bf92e689-48fb-4249-92c2-e3a34105ed72",
"id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"ephemeral_id": "80b57508-0bc3-492c-b757-6dd3eaaf56a2",
"id": "badbaba5-f530-4934-9eaa-c642f377fae2",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.9.1"
"version": "8.8.1"
},
"cisco": {
"asa": {
Expand All @@ -28,9 +28,9 @@
"version": "8.9.0"
},
"elastic_agent": {
"id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"id": "badbaba5-f530-4934-9eaa-c642f377fae2",
"snapshot": false,
"version": "8.9.1"
"version": "8.8.1"
},
"event": {
"action": "firewall-rule",
Expand All @@ -40,7 +40,7 @@
],
"code": "305011",
"dataset": "cisco_asa.log",
"ingested": "2023-08-29T16:16:14Z",
"ingested": "2023-09-22T00:32:57Z",
"kind": "event",
"original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
"severity": 6,
Expand All @@ -58,7 +58,7 @@
"log": {
"level": "informational",
"source": {
"address": "172.21.0.4:41604"
"address": "172.26.0.4:42724"
}
},
"network": {
Expand Down
14 changes: 7 additions & 7 deletions packages/cisco_asa/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ An example event for `log` looks as following:
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"agent": {
"ephemeral_id": "bf92e689-48fb-4249-92c2-e3a34105ed72",
"id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"ephemeral_id": "80b57508-0bc3-492c-b757-6dd3eaaf56a2",
"id": "badbaba5-f530-4934-9eaa-c642f377fae2",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.9.1"
"version": "8.8.1"
},
"cisco": {
"asa": {
Expand All @@ -44,9 +44,9 @@ An example event for `log` looks as following:
"version": "8.9.0"
},
"elastic_agent": {
"id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"id": "badbaba5-f530-4934-9eaa-c642f377fae2",
"snapshot": false,
"version": "8.9.1"
"version": "8.8.1"
},
"event": {
"action": "firewall-rule",
Expand All @@ -56,7 +56,7 @@ An example event for `log` looks as following:
],
"code": "305011",
"dataset": "cisco_asa.log",
"ingested": "2023-08-29T16:16:14Z",
"ingested": "2023-09-22T00:32:57Z",
"kind": "event",
"original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
"severity": 6,
Expand All @@ -74,7 +74,7 @@ An example event for `log` looks as following:
"log": {
"level": "informational",
"source": {
"address": "172.21.0.4:41604"
"address": "172.26.0.4:42724"
}
},
"network": {
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_asa/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 2.11.0
name: cisco_asa
title: Cisco ASA
version: "2.22.0"
version: "2.22.1"
description: Collect logs from Cisco ASA with Elastic Agent.
type: integration
categories:
Expand Down
5 changes: 5 additions & 0 deletions packages/cisco_ftd/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.16.1"
changes:
- description: Ensure `event.type` is not set to ECS-noncompliant values.
type: bugfix
link: https://github.com/elastic/integrations/pull/7926
- version: "2.16.0"
changes:
- description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
Expand Down
2 changes: 0 additions & 2 deletions packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,8 +96,6 @@
"timezone": "UTC",
"type": [
"info",
"deletion",
"user",
"allowed"
]
},
Expand Down
4 changes: 0 additions & 4 deletions packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2181,16 +2181,12 @@ processors:
- network
type:
- info
- deletion
- user
creation:
kind: event
category:
- network
type:
- info
- creation
- user
source: >-
if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) {
return;
Expand Down
14 changes: 7 additions & 7 deletions packages/cisco_ftd/data_stream/log/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"@timestamp": "2019-08-16T09:39:03.000Z",
"agent": {
"ephemeral_id": "26eb6818-fd18-4fc7-aa90-b1b53cefb42c",
"id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"ephemeral_id": "ad4e6448-919e-4126-8fee-17e9ce319b12",
"id": "badbaba5-f530-4934-9eaa-c642f377fae2",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.9.1"
"version": "8.8.1"
},
"cisco": {
"ftd": {
Expand Down Expand Up @@ -63,9 +63,9 @@
"version": "8.9.0"
},
"elastic_agent": {
"id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"id": "badbaba5-f530-4934-9eaa-c642f377fae2",
"snapshot": false,
"version": "8.9.1"
"version": "8.8.1"
},
"event": {
"action": "malware-detected",
Expand All @@ -76,7 +76,7 @@
],
"code": "430005",
"dataset": "cisco_ftd.log",
"ingested": "2023-08-29T16:38:11Z",
"ingested": "2023-09-22T00:36:30Z",
"kind": "event",
"original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip",
"severity": 1,
Expand All @@ -102,7 +102,7 @@
"log": {
"level": "alert",
"source": {
"address": "172.21.0.4:45378"
"address": "172.26.0.4:33390"
}
},
"network": {
Expand Down
Loading