Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Improve ECS categorization field mappings in cisco module #18537

Merged
merged 5 commits into from
Jun 4, 2020
Merged

[Filebeat] Improve ECS categorization field mappings in cisco module #18537

merged 5 commits into from
Jun 4, 2020

Conversation

leehinman
Copy link
Contributor

What does this PR do?

Improves ECS categorization field mappings in cisco module

Specifically:

  • asa
    • explicitly set ECS version
    • event.kind
    • event.category
    • event.type
    • related.hash
    • related.ip
    • related.user
  • ftd
    • explicitly set ECS version
    • event.kind
    • event.category
    • event.type
    • related.hash
    • related.ip
    • related.user
  • ios
    • explicitly set ECS version
    • event.kind
    • event.category
    • event.type

Why is it important?

ECS categorization fields make the data more useful in the SIEM app and make cross correlation between data sources easier.

Checklist

  • My code follows the style guidelines of this project
    - [ ] I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

TESTING_FILEBEAT_MODULES=cisco mage -v pythonIntegTest

Related issues

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM ecs labels May 14, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels May 14, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented May 14, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 2182
Skipped 382
Total 2564

andrewkroh
andrewkroh reviewed May 14, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some unit tests cases for the cisco/ios JS pipeline that also need updated.

beats/x-pack/filebeat/module/cisco/ios/pipeline_test.go

Line 46 in 95626b8

"event.category": "network_traffic",

@andrewkroh
Copy link
Member

It looks like there's an issue in some of the integ tests. Probably needs another GENERATE=true run.

Specifically:

Testing cisco/asa on /go/src/github.com/elastic/beats/x-pack/filebeat/module/cisco/asa/test/not-ip.log
Testing cisco/ftd on /go/src/github.com/elastic/beats/x-pack/filebeat/module/cisco/ftd/test/security-connection.log

@leehinman leehinman force-pushed the 16028_cisco_ecs_1.4 branch 2 times, most recently from 1a26751 to 6b7d85d Compare May 15, 2020 21:46
@leehinman
Improve ECS categorization field mappings in cisco module
492d387 
- asa
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type
  + related.hash
  + related.ip
  + related.user
- ftd
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type
  + related.hash
  + related.ip
  + related.user
- ios
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type

Closes elastic#16028
@leehinman
update ios go tests
88223f6
@leehinman
Updated golden files
0dc6875
@leehinman
Copy link
Contributor Author

run tests

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jun 2, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #18537 updated]

  • Start Time: 2020-06-04T14:36:22.127+0000

  • Duration: 51 min 21 sec

Test stats 🧪

Test Results
Failed 0
Passed 2226
Skipped 382
Total 2608

andrewkroh
andrewkroh approved these changes Jun 4, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jenkins, run tests

@leehinman leehinman merged commit f1139f2 into elastic:master Jun 4, 2020
leehinman added a commit to leehinman/beats that referenced this pull request Jun 4, 2020
@leehinman
[Filebeat] Improve ECS categorization field mappings in cisco module (e…
449b70f 
…lastic#18537)

* Improve ECS categorization field mappings in cisco module

- asa
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type
  + related.hash
  + related.ip
  + related.user
- ftd
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type
  + related.hash
  + related.ip
  + related.user
- ios
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type

Closes elastic#16028

Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit f1139f2)
@leehinman leehinman mentioned this pull request Jun 4, 2020
Merged
3 tasks
@leehinman leehinman added v7.9.0 and removed needs_backport PR is waiting to be backported to other branches. labels Jun 4, 2020
@leehinman leehinman deleted the 16028_cisco_ecs_1.4 branch June 4, 2020 18:40
leehinman added a commit that referenced this pull request Jun 5, 2020
@leehinman
[Filebeat] Improve ECS categorization field mappings in cisco module (#…
e633606 
…18537) (#18982)

* Improve ECS categorization field mappings in cisco module

- asa
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type
  + related.hash
  + related.ip
  + related.user
- ftd
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type
  + related.hash
  + related.ip
  + related.user
- ios
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type

Closes #16028

Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit f1139f2)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@leehinman @andrewkroh @melchiormoulin
[Filebeat] Improve ECS categorization field mappings in cisco module (e…
bc3e098 
…lastic#18537)

* Improve ECS categorization field mappings in cisco module

- asa
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type
  + related.hash
  + related.ip
  + related.user
- ftd
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type
  + related.hash
  + related.ip
  + related.user
- ios
  + explicitly set ECS version
  + event.kind
  + event.category
  + event.type

Closes elastic#16028

Co-authored-by: Andrew Kroh <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
ecs enhancement Filebeat Filebeat v7.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat] Update cisco module to ECS 1.4
3 participants
@leehinman @elasticmachine @andrewkroh