Skip to content

Commit

Permalink
Upgrade cef to ecs 1.8.0. (#23832)
Browse files Browse the repository at this point in the history 
Co-authored-by: Adrian Serrano <[email protected]>
  • Loading branch information
@marc-gr @adriansr
marc-gr and adriansr authored Feb 9, 2021
1 parent 3d31953 commit 0f50842
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 9 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -833,6 +833,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Update Filebeat auditd dataset to ECS 1.8.0. {pull}23723[23723] {issue}23118[23118]
- Updated microsoft defender_atp and m365_defender to ECS 1.8. {pull}23897[23897] {issue}23118[23118]
- Updated o365 module to ECS 1.8. {issue}23118[23118] {pull}23896[23896]
- Upgrade CEF module to ECS 1.8.0. {pull}23832[23832]

*Heartbeat*

Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cef/log/config/input.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0

{{ if .external_zones }}
- add_fields:
Expand Down
29 changes: 21 additions & 8 deletions x-pack/filebeat/module/cef/log/ingest/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,35 +52,48 @@ processors:
- append:
field: related.hash
value: "{{cef.extensions.fileHash}}"
if: "ctx?.cef?.extensions?.fileHash != null"
allow_duplicates: false
if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''"
- append:
field: related.hash
value: "{{cef.extensions.oldFileHash}}"
if: "ctx?.cef?.extensions?.oldFileHash != null"
allow_duplicates: false
if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''"
- append:
field: related.ip
value: "{{destination.ip}}"
if: "ctx?.destination?.ip != null"
allow_duplicates: false
if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''"
- append:
field: related.ip
value: "{{destination.nat.ip}}"
if: "ctx?.destination?.nat?.ip != null"
allow_duplicates: false
if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''"
- append:
field: related.ip
value: "{{source.ip}}"
if: "ctx?.source?.ip != null"
allow_duplicates: false
if: "ctx?.source?.ip != null && ctx?.source?.ip != ''"
- append:
field: related.ip
value: "{{source.nat.ip}}"
if: "ctx?.source?.nat?.ip != null"
allow_duplicates: false
if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''"
- append:
field: related.user
value: "{{destination.user.name}}"
if: "ctx?.destination?.user?.name != null"
allow_duplicates: false
if: "ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''"
- append:
field: related.user
value: "{{source.user.name}}"
if: "ctx?.source?.user?.name != null"
allow_duplicates: false
if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''"
- append:
field: related.hosts
value: "{{observer.hostname}}"
allow_duplicates: false
if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''"
- pipeline:
name: '{< IngestPipeline "fp-pipeline" >}'
if: "ctx.cef?.device?.vendor == 'FORCEPOINT'"
Expand Down
30 changes: 30 additions & 0 deletions x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "6.6.1",
"related.hosts": [
"10.1.1.40"
],
"service.type": "cef",
"tags": [
"cef",
Expand Down Expand Up @@ -61,6 +64,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "6.6.1",
"related.hosts": [
"10.1.1.40"
],
"service.type": "cef",
"tags": [
"cef",
Expand Down Expand Up @@ -108,6 +114,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "6.6.1",
"related.hosts": [
"10.1.1.40"
],
"related.ip": [
"10.1.1.40",
"10.37.205.252"
Expand Down Expand Up @@ -161,6 +170,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "unknown",
"related.hosts": [
"10.1.1.10"
],
"related.ip": [
"255.255.255.255",
"172.16.1.1"
Expand Down Expand Up @@ -214,6 +226,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "unknown",
"related.hosts": [
"10.1.1.1"
],
"related.ip": [
"192.168.1.1",
"172.16.1.1"
Expand Down Expand Up @@ -264,6 +279,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "unknown",
"related.hosts": [
"10.1.1.6"
],
"related.user": [
"alice"
],
Expand Down Expand Up @@ -304,6 +322,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "unknown",
"related.hosts": [
"10.1.1.3"
],
"related.ip": [
"192.168.1.1"
],
Expand Down Expand Up @@ -347,6 +368,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "unknown",
"related.hosts": [
"10.1.1.10"
],
"related.ip": [
"192.168.1.1"
],
Expand Down Expand Up @@ -390,6 +414,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "unknown",
"related.hosts": [
"10.1.1.8"
],
"related.ip": [
"172.16.2.1"
],
Expand Down Expand Up @@ -432,6 +459,9 @@
"observer.product": "Firewall",
"observer.vendor": "FORCEPOINT",
"observer.version": "6.6.1",
"related.hosts": [
"10.1.1.40"
],
"service.type": "cef",
"tags": [
"cef",
Expand Down

0 comments on commit 0f50842

Please sign in to comment.