adding zerofox integration #971
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
💚 CLA has been signed |
|
@marc-gr - i just signed the contributor agreement |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪 |
marc-gr
requested changes
May 6, 2021
packages/zerofox/data_stream/alerts/_dev/test/pipeline/test-alert.json-expected.json
Outdated
Show resolved
Hide resolved
packages/zerofox/data_stream/alerts/_dev/test/pipeline/test-alert.json-expected.json
Outdated
Show resolved
Hide resolved
packages/zerofox/data_stream/alerts/_dev/test/pipeline/test-alert.json-expected.json
Outdated
Show resolved
Hide resolved
|
hey @zf-jedmunds ! Thanks for the changes. One thing I noticed in your pipeline is that the majority of it is dedicated to renaming fields from ---
description: Pipeline for parsing zerofox alerts
processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
- set:
field: ecs.version
value: 1.9.0
- rename:
field: message
target_field: event.original
- json:
field: event.original
target_field: zerofox
- set:
field: zerofox.severity
value: info
if: ctx?.zerofox?.severity == 1
- set:
field: zerofox.severity
value: low
if: ctx?.zerofox?.severity == 2
- set:
field: zerofox.severity
value: medium
if: ctx?.zerofox?.severity == 3
- set:
field: zerofox.severity
value: high
if: ctx?.zerofox?.severity == 4
- set:
field: zerofox.severity
value: critical
if: ctx?.zerofox?.severity == 5
- convert:
field: zerofox.id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.asset_term.id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.entity.id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.entity.entity_group.id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.entity_term.id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.perpetrator.id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.rule_id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.rule_group_id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.asset.id
type: string
ignore_missing: true
ignore_failure: true
- convert:
field: zerofox.asset.entity_group.id
type: string
ignore_missing: true
ignore_failure: true
- json:
field: zerofox.metadata
ignore_failure: true
## Cleanup.
- remove:
field:
- zerofox.logs
- zerofox.entered_by
- zerofox.asset_term
- zerofox.entity_term
- zerofox.business_network
- zerofox.entity_email_receiver_id
ignore_missing: true
ignore_failure: true
- script:
description: Remove all empty values from zerofox.perpetrator.
lang: painless
if: ctx?.zerofox?.perpetrator != null
source: ctx.zerofox.perpetrator?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || (entry.getValue() instanceof List && entry.getValue().length == 0) || (entry.getValue() instanceof Map && entry.getValue().size() == 0));
- script:
description: Remove all empty values from zerofox.metadata.
lang: painless
if: ctx?.zerofox?.metadata != null
source: ctx?.zerofox?.metadata?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || (entry.getValue() instanceof List && entry.getValue().length == 0) || (entry.getValue() instanceof Map && entry.getValue().size() == 0));
- script:
description: Remove all empty values from zerofox.
lang: painless
if: ctx?.zerofox != null
source: ctx?.zerofox?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || (entry.getValue() instanceof List && entry.getValue().length == 0) || (entry.getValue() instanceof Map && entry.getValue().size() == 0));
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"Please take a look and feel free to change anything you need in case I messed it up :) If you end up using it remember to re-generate the test golden files. On top of that, would be nice if some ECS mappings could be done and just keep under the Thanks for the work! |
|
/test |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
/test |
|
/test |
marc-gr
approved these changes
Jul 29, 2021
marc-gr
reviewed
Jul 29, 2021
eyalkraft
pushed a commit
to build-security/integrations
that referenced
this pull request
Mar 30, 2022
* adding zerofox integration * updated changelog, more test data, remove null fields * metadata in test-alert.json * new fields + mappings + tests * metadata to flattened * pipeline suggestions from marc * rename ZeroFOX to ZeroFox, add ecs mappings * merge in marc-gr updates * Update packages/zerofox/manifest.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enhancement
Integration to the ZeroFOX alerts API
Screenshots