From ebf1521adb976c0fdf78aa9c26aa38c5d22851e6 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 11 May 2022 21:57:37 +0930 Subject: [PATCH 1/2] symantec_endpoint: use valid ECS values for fields This cleans up items missed in the previous pass. --- packages/symantec_endpoint/changelog.yml | 5 +++++ .../pipeline/test-agent-traffic.log-expected.json | 12 ++++++------ .../test-remove-mapped-fields.log-expected.json | 4 ++-- .../test/pipeline/test-rfc3164.log-expected.json | 4 ++-- .../test/pipeline/test-rfc5424.log-expected.json | 4 ++-- .../log/elasticsearch/ingest_pipeline/default.yml | 4 ++-- .../data_stream/log/sample_event.json | 4 ++-- packages/symantec_endpoint/docs/README.md | 4 ++-- packages/symantec_endpoint/manifest.yml | 2 +- 9 files changed, 24 insertions(+), 19 deletions(-) diff --git a/packages/symantec_endpoint/changelog.yml b/packages/symantec_endpoint/changelog.yml index 8112b3c9685..c29ae4308fb 100644 --- a/packages/symantec_endpoint/changelog.yml +++ b/packages/symantec_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.0.4" + changes: + - description: Make field values conform to ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/xxxx - version: "0.0.3" changes: - description: Make field values conform to ECS diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-agent-traffic.log-expected.json b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-agent-traffic.log-expected.json index 4344be40e48..b6cb305ca6b 100644 --- a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-agent-traffic.log-expected.json +++ b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-agent-traffic.log-expected.json @@ -22,7 +22,8 @@ "action": "blocked", "category": [ "intrusion_detection", - "network" + "network", + "process" ], "count": 1, "end": "2020-01-30T07:48:18.000Z", @@ -32,7 +33,6 @@ "start": "2020-01-30T07:48:18.000Z", "type": [ "connection", - "process", "denied" ] }, @@ -127,7 +127,8 @@ "action": "blocked", "category": [ "intrusion_detection", - "network" + "network", + "process" ], "count": 1, "end": "2020-12-09T00:46:50.000Z", @@ -137,7 +138,6 @@ "start": "2020-12-09T00:46:50.000Z", "type": [ "connection", - "process", "denied" ] }, @@ -207,7 +207,8 @@ "action": "blocked", "category": [ "intrusion_detection", - "network" + "network", + "process" ], "count": 4, "end": "2020-11-11T19:25:28.000Z", @@ -217,7 +218,6 @@ "start": "2020-11-11T19:25:21.000Z", "type": [ "connection", - "process", "denied" ] }, diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-remove-mapped-fields.log-expected.json b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-remove-mapped-fields.log-expected.json index 072d2c971e5..8e96def41d0 100644 --- a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-remove-mapped-fields.log-expected.json +++ b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-remove-mapped-fields.log-expected.json @@ -22,7 +22,8 @@ "action": "blocked", "category": [ "intrusion_detection", - "network" + "network", + "process" ], "count": 1, "end": "2020-01-30T07:48:18.000Z", @@ -32,7 +33,6 @@ "start": "2020-01-30T07:48:18.000Z", "type": [ "connection", - "process", "denied" ] }, diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json index 3a9991ad24b..c8538737f8e 100644 --- a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json +++ b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json @@ -21,7 +21,8 @@ "action": "blocked", "category": [ "intrusion_detection", - "network" + "network", + "process" ], "count": 4, "end": "2020-11-11T19:25:28.000Z", @@ -31,7 +32,6 @@ "start": "2020-11-11T19:25:21.000Z", "type": [ "connection", - "process", "denied" ] }, diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc5424.log-expected.json b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc5424.log-expected.json index 4b1b226fda3..0bbccc3aebe 100644 --- a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc5424.log-expected.json +++ b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc5424.log-expected.json @@ -18,7 +18,8 @@ "action": "blocked", "category": [ "intrusion_detection", - "network" + "network", + "process" ], "count": 4, "end": "2020-11-11T19:25:28.000Z", @@ -28,7 +29,6 @@ "start": "2020-11-11T19:25:21.000Z", "type": [ "connection", - "process", "denied" ] }, diff --git a/packages/symantec_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/symantec_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml index cea3822285b..9616d313620 100644 --- a/packages/symantec_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/symantec_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -227,8 +227,8 @@ processors: # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic - name: 'Agent Traffic Log' fingerprint: NONE|local_host_ip|local_port|local_host_mac|remote_host_ip|remote_host_name|remote_port|remote_host_mac|NONE|NONE|begin|end|occurrences|application|rule|location|user_name|domain_name|action|sha-256|md-5 - event_category: [intrusion_detection, network] - event_type: [connection, process] + event_category: [intrusion_detection, network, process] + event_type: [connection] columns: - index: 9 name: traffic_direction diff --git a/packages/symantec_endpoint/data_stream/log/sample_event.json b/packages/symantec_endpoint/data_stream/log/sample_event.json index 52fc62cb0de..080bd684ef5 100644 --- a/packages/symantec_endpoint/data_stream/log/sample_event.json +++ b/packages/symantec_endpoint/data_stream/log/sample_event.json @@ -102,11 +102,11 @@ "end": "2020-11-11T19:25:28.000Z", "category": [ "intrusion_detection", - "network" + "network", + "process" ], "type": [ "connection", - "process", "denied" ] }, diff --git a/packages/symantec_endpoint/docs/README.md b/packages/symantec_endpoint/docs/README.md index 54502856938..b36bc33b350 100644 --- a/packages/symantec_endpoint/docs/README.md +++ b/packages/symantec_endpoint/docs/README.md @@ -456,11 +456,11 @@ An example event for `log` looks as following: "end": "2020-11-11T19:25:28.000Z", "category": [ "intrusion_detection", - "network" + "network", + "process" ], "type": [ "connection", - "process", "denied" ] }, diff --git a/packages/symantec_endpoint/manifest.yml b/packages/symantec_endpoint/manifest.yml index 2a156819891..ca179ab213d 100644 --- a/packages/symantec_endpoint/manifest.yml +++ b/packages/symantec_endpoint/manifest.yml @@ -1,6 +1,6 @@ name: symantec_endpoint title: Symantec Endpoint Protection -version: 0.0.3 +version: 0.0.4 release: beta description: Collect logs from Symantec Endpoint Protection with Elastic Agent. type: integration From 84d4cb55ef1391e177cfeb0fbf87e9739a365c6d Mon Sep 17 00:00:00 2001 From: Dan Kortschak <90160302+efd6@users.noreply.github.com> Date: Wed, 11 May 2022 22:00:55 +0930 Subject: [PATCH 2/2] Update packages/symantec_endpoint/changelog.yml --- packages/symantec_endpoint/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/symantec_endpoint/changelog.yml b/packages/symantec_endpoint/changelog.yml index c29ae4308fb..2dcf5f13143 100644 --- a/packages/symantec_endpoint/changelog.yml +++ b/packages/symantec_endpoint/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Make field values conform to ECS type: bugfix - link: https://github.com/elastic/integrations/pull/xxxx + link: https://github.com/elastic/integrations/pull/3330 - version: "0.0.3" changes: - description: Make field values conform to ECS