Skip to content

[mimecast] Update ECS version to 8.2 with email fields #2841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrewkroh merged 13 commits into from
Apr 6, 2022
Merged

[mimecast] Update ECS version to 8.2 with email fields #2841

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
7d0d7a7
Update ecs verion to 8.2 and implementing best practice for ingesting…
djordje-adzemovic-devtech Mar 17, 2022
0a7d15e
Updated link to PR n changelog.yml
djordje-adzemovic-devtech Mar 17, 2022
83e93cb
Removing commented code
djordje-adzemovic-devtech Mar 18, 2022
e9b2356
CR requested changes
djordje-adzemovic-devtech Mar 21, 2022
536bb03
Switch back accidentally remove property from pipeline remove list an…
djordje-adzemovic-devtech Mar 22, 2022
97b92df
Recreate outdted README file
djordje-adzemovic-devtech Mar 28, 2022
b704419
Remove <> if emails are empty
djordje-adzemovic-devtech Mar 31, 2022
b934686
Merge branch 'main' into updateecsto8.2
djordje-adzemovic-devtech Apr 1, 2022
1577bb5
Fixing merging conflicts
djordje-adzemovic-devtech Apr 1, 2022
952f743
Merge branch 'updateecsto8.2' of github.com:djordje-adzemovic-devtech…
djordje-adzemovic-devtech Apr 1, 2022
f55ac69
Update sameple events and docs after merging with main
djordje-adzemovic-devtech Apr 1, 2022
1cccef1
Updated README
djordje-adzemovic-devtech Apr 1, 2022
637a3d5
Keep READNE file updated
djordje-adzemovic-devtech Apr 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/mimecast/_dev/build/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
dependencies:
ecs:
reference: git@8.0
reference: git@8.2
5 changes: 5 additions & 0 deletions packages/mimecast/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
- version: "0.0.8"
Comment thread
djordje-adzemovic-devtech marked this conversation as resolved.
Outdated
changes:
- description: Update ecs to version 8.2.0 and implement better practice for email ECS fields.
type: enhancement
link: https://github.com/elastic/integrations/pull/2841
- version: "0.0.7"
changes:
- description: Add content-disposition to test mock to properly create sample event from SIEM logs.
Expand Down
62 changes: 33 additions & 29 deletions .../mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "threat-intel-feed-download",
Expand Down Expand Up @@ -71,7 +71,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "threat-intel-feed-download",
Expand Down Expand Up @@ -124,7 +124,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "user-logged-on",
Expand Down Expand Up @@ -175,7 +175,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "logon-requires-challenge",
Expand Down Expand Up @@ -226,7 +226,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "user-logged-on",
Expand Down Expand Up @@ -276,7 +276,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "mimecast-support-login",
Expand Down Expand Up @@ -325,7 +325,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "mimecast-support-login",
Expand Down Expand Up @@ -374,16 +374,20 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"email": {
"from": {
"address": "johndoe@example.com"
"address": [
"johndoe@example.com"
]
},
"origination_timestamp": "2021-09-28 07:59:23+0000",
"subject": "Test on Tues 28th Sept",
"to": {
"address": "johndoe@example.com"
"address": [
"johndoe@example.com"
]
}
},
"event": {
Expand Down Expand Up @@ -433,7 +437,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "search-action",
Expand Down Expand Up @@ -482,7 +486,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "logon-authentication-failed",
Expand Down Expand Up @@ -519,7 +523,7 @@
{
"@timestamp": "2021-10-11T13:21:06.000Z",
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "completed-directory-sync",
Expand Down Expand Up @@ -560,7 +564,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "case-action",
Expand Down Expand Up @@ -609,7 +613,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "logon-authentication-failed",
Expand Down Expand Up @@ -660,7 +664,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "existing-archive-task-changed",
Expand Down Expand Up @@ -709,7 +713,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "connectors-management",
Expand Down Expand Up @@ -758,7 +762,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "page-data-exports",
Expand Down Expand Up @@ -812,7 +816,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "custom-report-definition-created",
Expand Down Expand Up @@ -861,7 +865,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "folder-log-entry",
Expand Down Expand Up @@ -892,7 +896,7 @@
{
"@timestamp": "2021-10-12T19:56:55.000Z",
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "user-password-changed",
Expand Down Expand Up @@ -936,7 +940,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "remediation-incident-adjustment",
Expand Down Expand Up @@ -985,7 +989,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "archive-mailbox-restore",
Expand Down Expand Up @@ -1034,7 +1038,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "archive-mailbox-restore",
Expand Down Expand Up @@ -1083,7 +1087,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "archive-mailbox-export-download",
Expand Down Expand Up @@ -1132,7 +1136,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "review-set-action",
Expand Down Expand Up @@ -1181,7 +1185,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "remediation-incident-adjustment",
Expand Down Expand Up @@ -1230,7 +1234,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "logon-authentication-failed",
Expand Down Expand Up @@ -1280,7 +1284,7 @@
"ip": "67.43.156.15"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"event": {
"action": "logon-authentication-failed",
Expand Down
10 changes: 9 additions & 1 deletion packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ processors:
# # Generic event/ecs fields we always want to populate
- set:
field: ecs.version
value: "8.0.0"
value: "8.2.0"
- rename:
field: message
target_field: event.original
Expand Down Expand Up @@ -143,6 +143,14 @@ processors:
field: mimecast.eventInfo
pattern: "[%{?key} : %{mimecast.export_type},%{?key} :%{mimecast.export_name},%{?key} :%{user.email},%{?key} :%{mimecast.weekday} %{mimecast.month} %{mimecast.monthday} %{mimecast.time} %{mimecast.timezone} %{mimecast.year},%{?key} :%{client.ip},%{?key} :%{mimecast.columns_exported},%{?key} : %{file.name},%{?key}: %{file.size},%{?key} : %{file.extension}], %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}"
if: 'ctx?.event?.action=="page-data-exports"'
- set:
field: email.from.address
value: ["{{{email.from.address}}}"]
if: "ctx?.email?.from?.address != null"
- set:
field: email.to.address
value: ["{{{email.to.address}}}"]
if: "ctx?.email?.to?.address != null"
- convert:
field: file.size
type: long
Expand Down
18 changes: 9 additions & 9 deletions packages/mimecast/data_stream/audit_events/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,33 @@
{
"@timestamp": "2021-11-16T12:01:37.000Z",
"agent": {
"ephemeral_id": "fa35babb-45a8-4537-b7e9-037256a9d3e5",
"ephemeral_id": "355a9536-c899-4dd5-b13a-316f7e476175",
"hostname": "docker-fleet-agent",
"id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9",
"id": "ac004e7f-f50a-465b-987f-e85c042a505d",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "7.17.0"
"version": "7.16.0"
},
"data_stream": {
"dataset": "mimecast.audit_events",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.0.0"
"version": "8.2.0"
},
"elastic_agent": {
"id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9",
"snapshot": false,
"version": "7.17.0"
"id": "ac004e7f-f50a-465b-987f-e85c042a505d",
"snapshot": true,
"version": "7.16.0"
},
"event": {
"action": "search-action",
"agent_id_status": "verified",
"created": "2022-02-22T15:33:36.764Z",
"created": "2022-03-22T08:50:57.226Z",
"dataset": "mimecast.audit_events",
"id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o",
"ingested": "2022-02-22T15:33:37Z",
"ingested": "2022-03-22T08:50:58Z",
"original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}"
},
"input": {
Expand Down
Loading