-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Threatintel compatibility updates #27323
Conversation
This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference
Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline.
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
Adding a comment here, some of the remaining work will be in a separate PR. We wont be changing threatintel.* to threat.*, or removing the nested fields before 7.16. Will work with @rylnd to get this merged this week |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
/test |
* First pass on updating filebeat threatintel logic for ECS 1.11 This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference * Move remaining modules from indicator.domain -> indicator.url.domain Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline. * Update indicator.reference in relevant modules * Fix missing prefix in target field * linting and apply new testfiles * Run `make update` in filebeat * fixing duplicate fields * mage fmt update * linting Co-authored-by: Marius Iversen <[email protected]> (cherry picked from commit 4be2694) # Conflicts: # x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
* First pass on updating filebeat threatintel logic for ECS 1.11 This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference * Move remaining modules from indicator.domain -> indicator.url.domain Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline. * Update indicator.reference in relevant modules * Fix missing prefix in target field * linting and apply new testfiles * Run `make update` in filebeat * fixing duplicate fields * mage fmt update * linting Co-authored-by: Marius Iversen <[email protected]> (cherry picked from commit 4be2694) # Conflicts: # x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
…27777) * [Filebeat] Threatintel compatibility updates (#27323) * First pass on updating filebeat threatintel logic for ECS 1.11 This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference * Move remaining modules from indicator.domain -> indicator.url.domain Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline. * Update indicator.reference in relevant modules * Fix missing prefix in target field * linting and apply new testfiles * Run `make update` in filebeat * fixing duplicate fields * mage fmt update * linting Co-authored-by: Marius Iversen <[email protected]> (cherry picked from commit 4be2694) # Conflicts: # x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml * fixing mergify conflicts Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: Marius Iversen <[email protected]>
…27778) * [Filebeat] Threatintel compatibility updates (#27323) * First pass on updating filebeat threatintel logic for ECS 1.11 This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference * Move remaining modules from indicator.domain -> indicator.url.domain Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline. * Update indicator.reference in relevant modules * Fix missing prefix in target field * linting and apply new testfiles * Run `make update` in filebeat * fixing duplicate fields * mage fmt update * linting Co-authored-by: Marius Iversen <[email protected]> (cherry picked from commit 4be2694) # Conflicts: # x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml * fixing mergify conflicts Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: Marius Iversen <[email protected]>
* master: (39 commits) [Heartbeat] Move JSON tests from python->go (elastic#27816) docs: simplify permissions for Dockerfile COPY (elastic#27754) Osquerybeat: Fix osquery logger plugin severy levels mapping (elastic#27789) [Filebeat] Update compatibility function to remove processor description on ES < 7.9.0 (elastic#27774) warn log entry and no validation failure when both queue_url and buck… (elastic#27612) libbeat/cmd/instance: ensure test config file has appropriate permissions (elastic#27178) [Heartbeat] Add httpcommon options to ZipURL (elastic#27699) Add a header round tripper option to httpcommon (elastic#27509) [Elastic Agent] Add validation to ensure certificate paths are absolute. (elastic#27779) Rename dashboards according to module.yml files for master (elastic#27749) Refactor vagrantfile, add scripts for provisioning with docker/kind (elastic#27726) Accept syslog dates with leading 0 (elastic#27775) [Filebeat] Add timezone config option to decode_cef and syslog input (elastic#27727) [Filebeat] Threatintel compatibility updates (elastic#27323) Add support for ephemeral containers in elastic agent dynamic provider (elastic#27707) [Filebeat] Integration tests in CI for AWS-S3 input (elastic#27491) Fix flakyness of TestFilestreamEmptyLine (elastic#27705) [Filebeat] kafka v2 using parsers (elastic#27335) Update Kafka version parsing / supported range (elastic#27720) Update Sarama to 1.29.1 (elastic#27717) ...
* First pass on updating filebeat threatintel logic for ECS 1.11 This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference * Move remaining modules from indicator.domain -> indicator.url.domain Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline. * Update indicator.reference in relevant modules * Fix missing prefix in target field * linting and apply new testfiles * Run `make update` in filebeat * fixing duplicate fields * mage fmt update * linting Co-authored-by: Marius Iversen <[email protected]>
What does this PR do?
This is a draft of the work discussed between @P1llus and myself. While the plan is to migrate most of this functionality to integration packages, there are some incompatibilities/logical errors that can/should be cleaned up in these modules. At a high level, we've outlined the following changes:
indicator.domain
, which has been deprecated in favor ofindicator.url.domain
event.reference
toindicator.reference
, as it's useful for investigation andevent.*
fields aren't copied as part of enrichmentmoving fromthreatintel.indicator
tothreat.indicator
moving any non-ECSthreatintel.[MODULE]
fieldsets to not be nested underthreatintel
Why is it important?
These changes will allow filebeat 7.15 users to ingest CTI data compatible with ECS 1.11.
Remaining work
abuseurl
module usesurlhaus_reference
to populate its analogous reference field. The test data doesn't indicate so, but if that exists for abusemalware as well, that's a simple fix. If that's not present, the best solution is likely to drop that field from the module.Work determined to be unnecessary for 7.15
threat.indicator
instead ofthreatintel.indicator
threatintel.[MODULE]
fieldsets to the root levelChecklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Related issues