Update rsa2elk packages fields and config (elastic#349)

Updates the rsa2elk packages to fix some problems: - Missing ECS fields. - Set ECS version to 1.6 - Use contains handlebars action to set publisher_pipeline.disable_host. The resulting packages are: - cisco 0.7.0 - fortinet 0.5.0 - juniper 0.4.0 - microsoft 0.3.0
andrewkroh · Oct 28, 2020 · 4cb174f · 4cb174f
1 parent e06fc03
commit 4cb174f
Show file tree

Hide file tree

Showing 47 changed files with 992 additions and 485 deletions.
diff --git a/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs
@@ -13,7 +13,9 @@ fields:
         vendor: "Cisco"
         product: "Meraki"
         type: "Wireless"
+{{#contains tags "forwarded"}}
 publisher_pipeline.disable_host: true
+{{/contains}}
 
 processors:
 - script:

diff --git a/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs
@@ -10,7 +10,9 @@ fields:
         vendor: "Cisco"
         product: "Meraki"
         type: "Wireless"
+{{#contains tags "forwarded"}}
 publisher_pipeline.disable_host: true
+{{/contains}}
 
 processors:
 - script:

diff --git a/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs
@@ -10,7 +10,9 @@ fields:
         vendor: "Cisco"
         product: "Meraki"
         type: "Wireless"
+{{#contains tags "forwarded"}}
 publisher_pipeline.disable_host: true
+{{/contains}}
 
 processors:
 - script:

diff --git a/packages/cisco/data_stream/meraki/fields/base-fields.yml b/packages/cisco/data_stream/meraki/fields/base-fields.yml
@@ -1,14 +1,12 @@
 - name: data_stream.type
   type: constant_keyword
-  description: Datastream type.
+  description: Data stream type.
 - name: data_stream.dataset
   type: constant_keyword
-  description: Datastream dataset.
+  description: Data stream dataset.
 - name: data_stream.namespace
   type: constant_keyword
-  description: Datastream namespace.
-- name: "@timestamp"
+  description: Data stream namespace.
+- name: '@timestamp'
   type: date
-  description: >
-    Event timestamp.
-
+  description: Event timestamp.
diff --git a/packages/cisco/data_stream/meraki/fields/ecs.yml b/packages/cisco/data_stream/meraki/fields/ecs.yml
@@ -11,6 +11,7 @@
 
         This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.'
       example: Sep 19 08:26:10 localhost My log
+      index: false
     - name: level
       level: core
       type: keyword
@@ -86,16 +87,13 @@
 
         Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.'
       example: success
-    - name: category
-      level: core
+    - name: timezone
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
-
-        `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+      description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise.
 
-        This field is an array. This will allow proper categorization of some events that fall in multiple categories.'
-      example: authentication
+        Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
     - name: ingested
       level: core
       type: date
@@ -104,13 +102,8 @@
         This is different from `@timestamp`, which is when the event originally occurred.  It''s also different from `event.created`, which is meant to capture the first time an agent saw the event.
 
         In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.'
-    - name: timezone
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise.
-
-        Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+      example: '2016-05-23T08:05:35.101Z'
+      default_field: false
 - name: '@timestamp'
   level: core
   required: true
@@ -123,6 +116,15 @@
 
     Required field for all events.'
   example: '2016-05-23T08:05:34.853Z'
+- name: related
+  type: group
+  fields:
+    - name: user
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All the user names seen on your event.
+      default_field: false
 - name: user
   type: group
   fields:
@@ -159,7 +161,7 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifiers of the user.
+      description: Unique identifier of the user.
 - name: message
   level: core
   type: text
@@ -175,9 +177,7 @@
     - name: ip
       level: core
       type: ip
-      description: 'IP address of the source.
-
-        Can be one or multiple IPv4 or IPv6 addresses.'
+      description: IP address of the source (IPv4 or IPv6).
     - name: port
       level: core
       type: long
@@ -244,6 +244,28 @@
           ignore_above: 1024
           description: City name.
           example: Montreal
+    - name: as
+      type: group
+      fields:
+        - name: number
+          level: extended
+          type: long
+          description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+          example: 15169
+        - name: organization
+          type: group
+          fields:
+            - name: name
+              level: extended
+              type: keyword
+              ignore_above: 1024
+              multi_fields:
+                - name: text
+                  type: text
+                  norms: false
+                  default_field: false
+              description: Organization name.
+              example: Google LLC
 - name: host
   type: group
   fields:
@@ -276,9 +298,7 @@
     - name: ip
       level: core
       type: ip
-      description: 'IP address of the destination.
-
-        Can be one or multiple IPv4 or IPv6 addresses.'
+      description: IP address of the destination (IPv4 or IPv6).
     - name: port
       level: core
       type: long
@@ -345,6 +365,28 @@
           ignore_above: 1024
           description: City name.
           example: Montreal
+    - name: as
+      type: group
+      fields:
+        - name: number
+          level: extended
+          type: long
+          description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+          example: 15169
+        - name: organization
+          type: group
+          fields:
+            - name: name
+              level: extended
+              type: keyword
+              ignore_above: 1024
+              multi_fields:
+                - name: text
+                  type: text
+                  norms: false
+                  default_field: false
+              description: Organization name.
+              example: Google LLC
 - name: network
   type: group
   fields:
@@ -531,7 +573,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com".
+      description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
         This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".'
       example: co.uk
@@ -541,10 +583,10 @@
       ignore_above: 1024
       description: 'The highest registered url domain, stripped of the subdomain.
 
-        For example, the registered domain for "foo.google.com" is "google.com".
+        For example, the registered domain for "foo.example.com" is "example.com".
 
         This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".'
-      example: google.com
+      example: example.com
 - name: service
   type: group
   fields:
@@ -566,6 +608,19 @@
       type: keyword
       ignore_above: 1024
       description: Server domain.
+- name: group
+  type: group
+  fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
 - name: process
   type: group
   fields:
@@ -660,23 +715,6 @@
 - name: http
   type: group
   fields:
-    - name: response
-      type: group
-      fields:
-        - name: body
-          type: group
-          fields:
-            - name: content
-              level: extended
-              type: keyword
-              ignore_above: 1024
-              multi_fields:
-                - name: text
-                  type: text
-                  norms: false
-                  default_field: false
-              description: The full HTTP response body.
-              example: Hello world
     - name: request
       type: group
       fields:
@@ -692,8 +730,12 @@
           ignore_above: 1024
           description: 'HTTP request method.
 
-            The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".'
-          example: get, post, put
+            Prior to ECS 1.6.0 the following guidance was provided:
+
+            "The field value must be normalized to lowercase for querying."
+
+            As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection.  Original case will be mandated in ECS 2.0.0'
+          example: GET, POST, PUT, PoST
 - name: geo
   type: group
   fields:
@@ -747,10 +789,17 @@
           description: 'The domain name to which this resource record pertains.
 
             If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.'
-          example: www.google.com
+          example: www.example.com
         - name: type
           level: extended
           type: keyword
           ignore_above: 1024
           description: The type of data contained in this resource record.
           example: CNAME
+- name: error
+  type: group
+  fields:
+    - name: message
+      level: core
+      type: text
+      description: Error message.
diff --git a/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs
@@ -13,7 +13,9 @@ fields:
         vendor: "Cisco"
         product: "Nexus"
         type: "Switches"
+{{#contains tags "forwarded"}}
 publisher_pipeline.disable_host: true
+{{/contains}}
 
 processors:
 - script:
@@ -6967,4 +6969,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs
@@ -10,7 +10,9 @@ fields:
         vendor: "Cisco"
         product: "Nexus"
         type: "Switches"
+{{#contains tags "forwarded"}}
 publisher_pipeline.disable_host: true
+{{/contains}}
 
 processors:
 - script:
@@ -6964,4 +6966,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs
@@ -10,7 +10,9 @@ fields:
         vendor: "Cisco"
         product: "Nexus"
         type: "Switches"
+{{#contains tags "forwarded"}}
 publisher_pipeline.disable_host: true
+{{/contains}}
 
 processors:
 - script:
@@ -6964,4 +6966,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/packages/cisco/data_stream/nexus/fields/base-fields.yml b/packages/cisco/data_stream/nexus/fields/base-fields.yml
@@ -1,14 +1,12 @@
 - name: data_stream.type
   type: constant_keyword
-  description: Datastream type.
+  description: Data stream type.
 - name: data_stream.dataset
   type: constant_keyword
-  description: Datastream dataset.
+  description: Data stream dataset.
 - name: data_stream.namespace
   type: constant_keyword
-  description: Datastream namespace.
-- name: "@timestamp"
+  description: Data stream namespace.
+- name: '@timestamp'
   type: date
-  description: >
-    Event timestamp.
-
+  description: Event timestamp.