Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cloud Security] Fix ECS import method #5106

Merged
merged 5 commits into from
Feb 7, 2023
Merged

[Cloud Security] Fix ECS import method #5106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0942827
Fix ECS import method
kfirpeled Jan 26, 2023
8d64bb4
fixed pr no. in changelog
kfirpeled Jan 26, 2023
d2cc334
updated format version, ECS to 8.6, ECS ingested version, and other f…
kfirpeled Jan 26, 2023
4c5a368
moved timestamp declaration to base-fields
kfirpeled Jan 30, 2023
faacfd5
Merge branch 'main' into cspm/fix-ecs-import
kfirpeled Feb 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions packages/cloud_security_posture/_dev/build/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
dependencies:
ecs:
reference: [email protected]
5 changes: 5 additions & 0 deletions packages/cloud_security_posture/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.2.10-next"
changes:
- description: ""
type: enhancement
link: ""
- version: "1.2.9"
changes:
- description: Add monitoring fetcher to the aws cspm hbs file
Expand Down
4 changes: 2 additions & 2 deletions ...ges/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
description: Pipeline for cloudbeat findings
processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
field: ecs.version
value: '8.6.0'
on_failure:
- set:
field: error.message
Expand Down
4 changes: 2 additions & 2 deletions packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
- name: data_stream.namespace
type: constant_keyword
description: Data stream namespace.
- name: '@timestamp'
- name: "@timestamp"
type: date
description: Event timestamp.
description: Event timestamp.
89 changes: 0 additions & 89 deletions packages/cloud_security_posture/data_stream/findings/fields/ecs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,213 +1,124 @@
- name: "@timestamp"
external: ecs
type: date
- name: agent.ephemeral_id
external: ecs
type: keyword
- name: agent.id
external: ecs
type: keyword
- name: agent.name
external: ecs
type: keyword
- name: agent.type
external: ecs
type: keyword
- name: agent.version
external: ecs
type: keyword
- name: ecs.version
external: ecs
type: keyword
- name: event.agent_id_status
external: ecs
type: keyword
- name: event.ingested
external: ecs
type: date
- name: file.accessed
external: ecs
type: date
- name: file.ctime
external: ecs
type: date
- name: file.directory
external: ecs
type: keyword
- name: file.extension
external: ecs
type: keyword
- name: file.gid
external: ecs
type: keyword
- name: file.group
external: ecs
type: keyword
- name: file.inode
external: ecs
type: keyword
- name: file.mode
external: ecs
type: keyword
- name: file.mtime
external: ecs
type: date
- name: file.name
external: ecs
type: keyword
- name: file.owner
external: ecs
type: keyword
- name: file.path
external: ecs
type: keyword
- name: file.size
external: ecs
type: long
- name: file.type
external: ecs
type: keyword
- name: file.uid
external: ecs
type: keyword
- name: host.architecture
external: ecs
type: keyword
- name: host.containerized
external: ecs
type: boolean
- name: host.hostname
external: ecs
type: keyword
- name: host.ip
external: ecs
type: ip
- name: host.mac
external: ecs
type: keyword
- name: host.name
external: ecs
type: keyword
- name: host.os.codename
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

host.os.codename and host.containerized are not part of ECS atm
elastic/ecs#294
elastic/ecs#1512

Do you think it's worth adding them as a custom field? and for the sake of backward compatibility?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as the field type does not change between the type you set manually and the type the ECS field ends up being its fine to map them. If its unsure then we should get confirmation about the preferred type first.

external: ecs
type: keyword
- name: host.os.family
external: ecs
type: keyword
- name: host.os.full
external: ecs
type: keyword
- name: host.os.kernel
external: ecs
type: keyword
- name: host.os.name
external: ecs
type: keyword
- name: host.os.platform
external: ecs
type: keyword
- name: host.os.type
external: ecs
type: keyword
- name: host.os.version
external: ecs
type: keyword
- name: message
external: ecs
type: match_only_text
- name: process.args
external: ecs
type: keyword
- name: process.args_count
external: ecs
type: long
- name: process.command_line
external: ecs
type: wildcard
- name: process.name
external: ecs
type: keyword
- name: process.parent.pid
external: ecs
type: long
- name: process.parent.start
external: ecs
type: date
- name: process.pgid
external: ecs
type: long
- name: process.pid
external: ecs
type: long
- name: process.start
external: ecs
type: date
- name: process.title
external: ecs
type: keyword
- name: process.uptime
external: ecs
type: long
- name: rule.benchmark.id
external: ecs
type: keyword
- name: rule.benchmark.name
external: ecs
type: keyword
- name: rule.benchmark.version
external: ecs
type: keyword
- name: rule.description
external: ecs
type: keyword
- name: rule.id
external: ecs
type: keyword
- name: rule.name
external: ecs
type: keyword
- name: rule.section
external: ecs
type: keyword
- name: rule.tags
external: ecs
type: keyword
- name: rule.version
external: ecs
type: keyword
- name: event.category
external: ecs
type: keyword
- name: event.created
external: ecs
type: date
- name: event.ingested
external: ecs
type: date
- name: event.id
external: ecs
type: keyword
- name: event.kind
external: ecs
type: keyword
- name: event.sequence
external: ecs
type: long
- name: event.outcome
external: ecs
type: keyword
- name: event.type
external: ecs
type: keyword
- name: orchestrator.cluster.name
external: ecs
type: keyword
- name: cloud.account.id
external: ecs
type: keyword
- name: cloud.account.name
external: ecs
type: keyword
- name: cloud.provider
external: ecs
type: keyword
30 changes: 0 additions & 30 deletions packages/cloud_security_posture/data_stream/findings/fields/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,29 +36,6 @@
ignore_above: 1024
description: Type of the compliance benchmark.
default_field: false
- name: description
level: extended
type: keyword
ignore_above: 1024
description: The description of the rule generating the event.
example: Block requests to public DNS over HTTPS / TLS protocols
default_field: false
- name: id
level: extended
type: keyword
ignore_above: 1024
description: >
A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.

example: 101
default_field: false
- name: name
level: extended
type: keyword
ignore_above: 1024
description: The name of the rule or signature generating the event.
example: BLOCK_DNS_over_TLS
default_field: false
- name: section
level: extended
type: keyword
Expand All @@ -71,13 +48,6 @@
ignore_above: 1024
description: List of keywords used to tag the rule.
default_field: false
- name: version
level: extended
type: keyword
ignore_above: 1024
description: The version / revision of the rule being used for analysis.
example: 1.1
default_field: false
- name: rule_number
level: extended
type: keyword
Expand Down
9 changes: 5 additions & 4 deletions packages/cloud_security_posture/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
format_version: 1.0.0
format_version: 2.3.0
name: cloud_security_posture
title: "Security Posture Management (CSPM/KSPM)"
version: 1.2.9
release: ga
license: basic
version: "1.2.10-next"
source:
license: "Elastic-2.0"
description: "DO NOT USE MAIN TILE (WIP)"
type: integration
categories:
Expand All @@ -16,6 +16,7 @@ categories:
- google_cloud
conditions:
kibana.version: "^8.7.0"
elastic.subscription: basic
screenshots:
- src: /img/dashboard.png
title: Dashboard page
Expand Down