-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EDR Workflows] Adjust Sentinel One Cloud Funnel mappings to support Analyzer - entity_id #8608
Conversation
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
@elastic/security-external-integrations Hey, I think it's everything that I needed to change in order to get analyzer to work with s1 data. Could somebody please take a look at this? Thanks! 🙇 |
Hey @tomsonpl, I'm taking a look at this. Let me write out what I've got so far. Here's a summary the new field handling in the pipelines:
Background information about incoming process information and ECS field populationThis data stream includes many types of events, and all seem to have information about a source process that comes in as There are some event categories, including Background information about enabling the AnalyzerReading https://github.com/elastic/security-team/issues/7999#issuecomment-1814748178, it sounds like the Analyzer expects a document for each node in the tree, with There's some discussion about missing root or leaf nodes of the process tree because the source and target fields appear in a single document, and there's a choice to make about which to use. If there's a These changesWith the changes in this PR, the Then in the My only concern here is that the |
Hey @chrisberkhout, thanks for the in-depth review! You're totally right here, I feel terrible that I missed all these... :P So I am thinking now, that we can take it slow and change the rest of the fields for What in your opinion would be the best approach?
Thanks! |
Approach 1 seems like a lot of duplication. Doing it just for the It should be clear to the reader that The |
🚀 Benchmarks reportTo see the full report comment with |
@chrisberkhout I am changing this to draft while I'll be working on the adjustments so you don't get too many notifications. I am not getting the new -set value, like if the if didn't meet criteria. I'll do some more debugging here, and ask you again for the review, ok ? :) |
field: process.thread.id | ||
copy_from: sentinel_one_cloud_funnel.event.tgt.process.tid | ||
ignore_empty_value: true | ||
if: ctx.sentinel_one_cloud_funnel?.event?.type == 'Process Creation' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here and below, I think the condition would be
if: ctx.sentinel_one_cloud_funnel.event.type == 'ProcessCreation'
- Null safe operators (
?.
) probably aren't needed, given they aren't used in the surrounding code. - The
ProcessCreation
value (no space) can be seen indata_stream/event/_dev/test/pipeline/test-process.log
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one was strange, because the data in the original event was with a space between Process Creation
. And when I adjusted the code to check for space - it worked.
However, I decided to overwrite all process fields like this, not only ProcessCreation, because it couldn't create an event for the parent sometimes. I am not sure what the issue was, but I had an event for tgt.process.uid, but no event for src.process.uid (parent). Now with the changes that all process are overwritten - it works as expected.
Do you have any concerns about it?
Thanks @chrisberkhout :elasticheart:
- convert: | ||
field: json.src.process.tid | ||
tag: 'convert_json_src_process_tid' | ||
target_field: sentinel_one_cloud_funnel.event.src.process.tid | ||
type: long | ||
ignore_missing: true | ||
if: ctx.json?.src?.process?.tid != '' | ||
on_failure: | ||
- append: | ||
field: error.message | ||
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' | ||
- set: | ||
field: process.thread.id | ||
copy_from: sentinel_one_cloud_funnel.event.src.process.tid | ||
ignore_empty_value: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved these things for the src
process to default.yml
- set: | ||
field: process.thread.id | ||
copy_from: sentinel_one_cloud_funnel.event.tgt.process.tid | ||
ignore_empty_value: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved these things for the tgt
process down to after the process
-> process.parent
rename.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I mixed that up and removed it.
I'll add it back in an additional commit. It doesn't change the test output, since the field isn't in the input.
- append: | ||
field: process.user.name | ||
value: '{{{sentinel_one_cloud_funnel.event.tgt.process.user.name}}}' | ||
allow_duplicates: false | ||
if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.user?.name != null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved this down to after the process
-> process.parent
rename
- set: | ||
field: process.name | ||
copy_from: sentinel_one_cloud_funnel.event.tgt.process.name | ||
ignore_empty_value: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved this down to after the process
-> process.parent
rename
- convert: | ||
field: json.tgt.process.pid | ||
tag: 'convert_json_tgt_process_pid' | ||
target_field: sentinel_one_cloud_funnel.event.tgt.process.pid | ||
ignore_missing: true | ||
type: long | ||
if: ctx.json?.tgt?.process?.pid != '' | ||
on_failure: | ||
- append: | ||
field: error.message | ||
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved this into the default.yml
file. It's got type: string
there, because the sentinel_one_cloud_funnel.event.tgt.process.pid
field has type keyword
.
- append: | ||
field: process.user.name | ||
value: '{{{sentinel_one_cloud_funnel.event.tgt.process.user.name}}}' | ||
allow_duplicates: false | ||
if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.user?.name != null | ||
- set: | ||
field: process.pid | ||
copy_from: sentinel_one_cloud_funnel.event.tgt.process.pid | ||
field: process.name | ||
copy_from: sentinel_one_cloud_funnel.event.tgt.process.name | ||
ignore_empty_value: true | ||
- convert: | ||
field: json.tgt.process.pid | ||
tag: 'convert_json_tgt_process_pid' | ||
target_field: sentinel_one_cloud_funnel.event.tgt.process.pid | ||
field: sentinel_one_cloud_funnel.event.tgt.process.pid | ||
target_field: process.pid | ||
type: long | ||
ignore_missing: true | ||
type: string | ||
if: ctx.json?.tgt?.process?.pid != '' | ||
on_failure: | ||
- append: | ||
field: error.message | ||
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this part the diff is tricky to read, but it should just be doing the things described above.
Thanks @chrisberkhout for the changes, I tested locally and everything works as expected. Big thank you for your help and time :) |
Package sentinel_one_cloud_funnel - 0.10.0 containing this change is available at https://epr.elastic.co/search?package=sentinel_one_cloud_funnel |
Proposed commit message:
Earlier title: [EDR Workflows] Adjust Sentinel One Cloud Funnel mappings to support Analyzer - entity_id
Earlier description:
This PR adds mapping to
process.entity_id
andprocess.parent.entity_id
in default.yml.Moreover it overwrites
process.parent
withsrc.process
data, and process withtgt.process
forprocess-pipeline.yml
There was a suggestion that we might actually also map
event.type
more dynamically, because now it's just set to [info]. But this can be done in the future :)Kibana changes:
elastic/kibana#170829
Closes:
https://github.com/elastic/security-team/issues/7999