Skip to content

Commit

Permalink
Improve ECS categorization field mappings in osquery module
Browse files Browse the repository at this point in the history
- event.action
- event.kind
- event.type
- file.accessed
- file.created
- file.directory
- file.gid
- file.inode
- file.mode
- file.mtime
- file.name
- file.path
- file.size
- file.type
- file.uid
- host.hostname
- host.id
- process.name
- related.user
- rule.name
- url.full
- user.name

Closes elastic#16176
  • Loading branch information
leehinman committed Apr 21, 2020
1 parent c388f5e commit ebae871
Show file tree
Hide file tree
Showing 6 changed files with 2,041 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Enhance `elasticsearch/slowlog` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17729[17729]
- Improve ECS categorization field mappings in misp module. {issue}16026[16026] {pull}17344[17344]
- Added Unix stream socket support as an input source and a syslog input source. {pull}17492[17492]
- Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881]

*Heartbeat*

Expand Down
158 changes: 158 additions & 0 deletions filebeat/module/osquery/result/ingest/pipeline.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,164 @@
"target_field": "osquery.result.calendar_time",
"ignore_missing": true
}
},
{
"set": {
"field": "event.kind",
"value": "event"
}
},
{
"set": {
"field": "event.type",
"value": "info"
}
},
{
"set": {
"field": "event.action",
"value": "{{osquery.result.action}}",
"if": "ctx?.osquery?.result?.action != null"
}
},
{
"date": {
"field": "osquery.result.columns.atime",
"target_field": "file.accessed",
"formats": ["UNIX"],
"ignore_failure": true,
"if": "ctx?.osquery?.result?.columns?.atime != null"
}
},
{
"date": {
"field": "osquery.result.columns.ctime",
"target_field": "file.created",
"formats": ["UNIX"],
"ignore_failure": true,
"if": "ctx?.osquery?.result?.columns?.ctime != null"
}
},
{
"date": {
"field": "osquery.result.columns.mtime",
"target_field": "file.mtime",
"formats": ["UNIX"],
"ignore_failure": true,
"if": "ctx?.osquery?.result?.columns?.mtime != null"
}
},
{
"set": {
"field": "file.directory",
"value": "{{osquery.result.columns.directory}}",
"if": "ctx?.osquery?.result?.columns?.directory != null"
}
},
{
"set": {
"field": "file.name",
"value": "{{osquery.result.columns.filename}}",
"if": "ctx?.osquery?.result?.columns?.filename != null"
}
},
{
"set": {
"field": "file.gid",
"value": "{{osquery.result.columns.gid}}",
"if": "ctx?.osquery?.result?.columns?.gid != null"
}
},
{
"set": {
"field": "file.inode",
"value": "{{osquery.result.columns.inode}}",
"if": "ctx?.osquery?.result?.columns?.inode != null"
}
},
{
"set": {
"field": "file.mode",
"value": "{{osquery.result.columns.mode}}",
"if": "ctx?.osquery?.result?.columns?.mode != null"
}
},
{
"set": {
"field": "file.path",
"value": "{{osquery.result.columns.path}}",
"if": "ctx?.osquery?.result?.columns?.path != null"
}
},
{
"set": {
"field": "file.size",
"value": "{{osquery.result.columns.size}}",
"if": "ctx?.osquery?.result?.columns?.size != null"
}
},
{
"set": {
"field": "file.type",
"value": "{{osquery.result.columns.type}}",
"if": "ctx?.osquery?.result?.columns?.type != null"
}
},
{
"set": {
"field": "file.uid",
"value": "{{osquery.result.columns.uid}}",
"if": "ctx?.osquery?.result?.columns?.uid != null"
}
},
{
"set": {
"field": "user.name",
"value": "{{osquery.result.decorations.username}}",
"if": "ctx?.osquery?.result?.decorations?.uusername != null"
}
},
{
"append": {
"field": "related.user",
"value": "{{user.name}}",
"if": "ctx?.user?.name != null"
}
},
{
"set": {
"field": "host.hostname",
"value": "{{osquery.result.host_identifier}}",
"if": "ctx?.osquery?.result?.host_identifier != null"
}
},
{
"set": {
"field": "host.id",
"value": "{{osquery.result.decorations.host_uuid}}",
"if": "ctx?.osquery?.result?.decorations?.host_uuid != null"
}
},
{
"set": {
"field": "process.name",
"value": "{{osquery.result.columns.process}}",
"if": "ctx?.osquery?.result?.columns?.process != null"
}
},
{
"set": {
"field": "url.full",
"value": "{{osquery.result.columns.source_url}}",
"if": "ctx?.osquery?.result?.columns?.source_url != null && ctx.osquery.result.columns.source_url != 'null'"
}
},
{
"set": {
"field": "rule.name",
"value": "{{osquery.result.name}}",
"if": "ctx?.osquery?.result?.name != null"
}
}
],
"on_failure" : [{
Expand Down
Loading

0 comments on commit ebae871

Please sign in to comment.