Skip to content

[sentinel_one] Change event.kind and adjust some relevant alert fields#3669

Merged
andrewkroh merged 9 commits intoelastic:mainfrom
ChriZzn:main
Aug 16, 2022
Merged

[sentinel_one] Change event.kind and adjust some relevant alert fields#3669
andrewkroh merged 9 commits intoelastic:mainfrom
ChriZzn:main

Conversation

@ChriZzn
Copy link
Contributor

@ChriZzn ChriZzn commented Jul 8, 2022

What does this PR do?

Added relevant fields for Alerts and changed the event.kind field to "alert", this is useful to show the Threats from Sentinel One in Kibana under "External Alerts"

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@ChriZzn ChriZzn requested a review from a team as a code owner July 8, 2022 09:40
@cla-checker-service
Copy link

cla-checker-service bot commented Jul 8, 2022
edited
Loading

💚 CLA has been signed

@elasticmachine
Copy link

elasticmachine commented Jul 8, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-08-16T19:05:13.323+0000

  • Duration: 18 min 58 sec

Test stats 🧪

Test Results
Failed 0
Passed 31
Skipped 0
Total 31

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@andrewkroh
Copy link
Member

andrewkroh commented Jul 8, 2022

Hi @ChriZzn, could you please sign the CLA https://www.elastic.co/contributor-agreement? Thanks.

@elasticmachine
Copy link

elasticmachine commented Jul 8, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

andrewkroh
andrewkroh requested changes Jul 20, 2022
View reviewed changes
packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml Outdated
- set:
field: process.name
copy_from: json.threatInfo.originatorProcess
if: ctx.json.threatInfo.originatorProcess != null
Copy link
Member

@andrewkroh andrewkroh Jul 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of the if you can use ignore_empty_value: true.

ChriZzn
ChriZzn commented Jul 21, 2022
View reviewed changes
Copy link
Contributor Author

@ChriZzn ChriZzn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Andrew,
thanks for the input, i have adjusted all problems/recommendations, should suit so far.

Regards Christoph

@andrewkroh andrewkroh changed the title Change event.kind and adjusting some relevant alert fields [sentinel_one] Change event.kind and adjust some relevant alert fields Aug 16, 2022
@andrewkroh
Copy link
Member

andrewkroh commented Aug 16, 2022

/test

@elasticmachine
Copy link

elasticmachine commented Aug 16, 2022

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (5/5) 💚
Files 100.0% (5/5) 💚 2.825
Classes 100.0% (5/5) 💚 2.825
Methods 100.0% (71/71) 💚 10.666
Lines 97.976% (2565/2618) 👍 7.058
Conditionals 100.0% (0/0) 💚

@andrewkroh andrewkroh merged commit faa8716 into elastic:main Aug 16, 2022
@andrewkroh andrewkroh mentioned this pull request Aug 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

No one assigned

Labels

Integration:sentinel_one SentinelOne

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ChriZzn @elasticmachine @andrewkroh