From 14ef5e151398e6c64c1defb7b16c7729bed1a332 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 3 Feb 2021 14:34:42 +0100 Subject: [PATCH] Upgrade cef to ecs 1.8.0. --- CHANGELOG.next.asciidoc | 1 + .../filebeat/module/cef/log/config/input.yml | 2 +- .../module/cef/log/ingest/pipeline.yml | 29 +++++++++++++----- .../log/test/fp-ngfw-smc.log-expected.json | 30 +++++++++++++++++++ 4 files changed, 53 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b4882537384..0ce3c6f34d8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -836,6 +836,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521] - Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724] - Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819] +- Upgrade CEF module to ECS 1.8.0. {pull}23832[23832] *Heartbeat* diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index 4568f659c3a..7916908599e 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -28,7 +28,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml index 676f66a943a..18a2cda4bf2 100644 --- a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml @@ -52,35 +52,48 @@ processors: - append: field: related.hash value: "{{cef.extensions.fileHash}}" - if: "ctx?.cef?.extensions?.fileHash != null" + allow_duplicates: false + if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''" - append: field: related.hash value: "{{cef.extensions.oldFileHash}}" - if: "ctx?.cef?.extensions?.oldFileHash != null" + allow_duplicates: false + if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''" - append: field: related.ip value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" + allow_duplicates: false + if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''" - append: field: related.ip value: "{{destination.nat.ip}}" - if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''" - append: field: related.ip value: "{{source.ip}}" - if: "ctx?.source?.ip != null" + allow_duplicates: false + if: "ctx?.source?.ip != null && ctx?.source?.ip != ''" - append: field: related.ip value: "{{source.nat.ip}}" - if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''" - append: field: related.user value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" + allow_duplicates: false + if: "ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''" - append: field: related.user value: "{{source.user.name}}" - if: "ctx?.source?.user?.name != null" + allow_duplicates: false + if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''" + - append: + field: related.hosts + value: "{{observer.hostname}}" + allow_duplicates: false + if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''" - pipeline: name: '{< IngestPipeline "fp-pipeline" >}' if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json index 70ef4f7776f..3087409c970 100644 --- a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json @@ -27,6 +27,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef", @@ -61,6 +64,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef", @@ -108,6 +114,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "related.ip": [ "10.1.1.40", "10.37.205.252" @@ -161,6 +170,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.10" + ], "related.ip": [ "255.255.255.255", "172.16.1.1" @@ -214,6 +226,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.1" + ], "related.ip": [ "192.168.1.1", "172.16.1.1" @@ -264,6 +279,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.6" + ], "related.user": [ "alice" ], @@ -304,6 +322,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.3" + ], "related.ip": [ "192.168.1.1" ], @@ -347,6 +368,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.10" + ], "related.ip": [ "192.168.1.1" ], @@ -390,6 +414,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.8" + ], "related.ip": [ "172.16.2.1" ], @@ -432,6 +459,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef",