Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Improve ECS field mappings in panw module #17910

Merged
merged 1 commit into from
Apr 23, 2020
Merged

[Filebeat] Improve ECS field mappings in panw module #17910

merged 1 commit into from
Apr 23, 2020

Conversation

leehinman
Copy link
Contributor

What does this PR do?

Adds or changes the following fields in panw module:

  • panw.panos.action
  • event.outcome, limit to succes/failure
  • event.kind
  • event.category, make array
  • event.type, make array
  • rule.name
  • related.user

Why is it important?

Improved ECS compliance makes data more useful in SIEM app and makes correlating between data sources easier.

Checklist

  • My code follows the style guidelines of this project
    - [ ] I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Closes #16025

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM ecs labels Apr 22, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman
Improve ECS field mappings in panw module
e3a48d4 
- panw.panos.action
- event.outcome, limit to succes/failure
- event.kind
- event.category, make array
- event.type, make array
- rule.name
- related.user

Closes elastic#16025
@leehinman
Copy link
Contributor Author

@adriansr can you take a quick look at change in event.outcome (since you were author?)

andrewkroh
andrewkroh approved these changes Apr 23, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json
@@ -62,6 +72,11 @@
"0.0.0.0",
"0.0.0.0"
],
"related.user": [
"crusher",
"crusher"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wish the append processor would deduplicate like the AppendTo function in beats.

adriansr
adriansr approved these changes Apr 23, 2020
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@leehinman leehinman merged commit e174441 into elastic:master Apr 23, 2020
@leehinman leehinman deleted the 16025_panw_ecs_1.4 branch April 23, 2020 14:47
leehinman added a commit to leehinman/beats that referenced this pull request Apr 23, 2020
@leehinman
Improve ECS field mappings in panw module (elastic#17910)
1312032 
- panw.panos.action
- event.outcome, limit to succes/failure
- event.kind
- event.category, make array
- event.type, make array
- rule.name
- related.user

Closes elastic#16025

(cherry picked from commit e174441)
@leehinman leehinman mentioned this pull request Apr 23, 2020
Merged
4 tasks
@leehinman leehinman added v7.8.0 and removed needs_backport PR is waiting to be backported to other branches. labels Apr 23, 2020
@kaiyan-sheng kaiyan-sheng mentioned this pull request Apr 23, 2020
Merged
leehinman added a commit that referenced this pull request Apr 29, 2020
@leehinman
Cherry-pick #17910 to 7.x: [Filebeat] Improve ECS field mappings in p…
1343f66 
…anw module (#17943)

* Improve ECS field mappings in panw module (#17910)

- panw.panos.action
- event.outcome, limit to succes/failure
- event.kind
- event.category, make array
- event.type, make array
- rule.name
- related.user
- mage fmt update

Closes #16025

(cherry picked from commit e174441)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
ecs enhancement Filebeat Filebeat v7.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat] Upgrade panw module to ECS 1.4
4 participants
@leehinman @elasticmachine @andrewkroh @adriansr