New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cisco_meraki: remove incorrect event.category:threat and event.type:indicator values #8508
Conversation
f4bf156
to
b6ed630
Compare
- threat | ||
type: | ||
- indicator | ||
- intrusion_detection |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not entirely convinced that this is a correct category here, but on the basis of the contexts that I could find it seemed reasonable.
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current change LGTM 👍🏼
But there are 2 pipelines namely security.yml
and idsalerts.yml
that contains threat.indicator.*
fields. Should we also remove them if they are not to be categorized as IoCs?
@P1llus What is your view on the references to |
From what I can see these are not IoC's, The sample pipeline test data was a bit weird, since both ids and security events are in the same testfile, so I had a hard time finding it first. Since they are not IoC's then indeed the category should never be threat, and threat.indicator.* should simply be mapped to its common ecs field, like threat.indicator.file.name to file.name instead. There is also a weird test-generated.log-expected.json, which seems to be a golden file from when it was still an RSA package, since it does not have any value and do not have its raw file there anymore, lets remove it? |
b6ed630
to
e87e7b1
Compare
@P1llus PTAL |
e87e7b1
to
5895aa5
Compare
5895aa5
to
922efc4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just 1 comment, feel free to provide the change (or none) that you find fits best 👍
category: | ||
- threat | ||
type: | ||
- indicator | ||
action: wireless-packet-flood-detected | ||
"rogue_ssid_detected": | ||
category: | ||
- threat | ||
type: | ||
- indicator | ||
action: rogue-ssid-detected | ||
"ssid_spoofing_detected": | ||
category: | ||
- threat | ||
type: | ||
- indicator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we ensure that all event types have at least one category and type? I think intrustion_dection and info is still a good fit. Or worst case it could be network and info?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah sorry, missed that one, LGTM 👍
Package cisco_meraki - 1.20.1 containing this change is available at https://epr.elastic.co/search?package=cisco_meraki |
Proposed commit message
See title.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots