Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Copy tag names from MISP data into event #21664

Merged
merged 1 commit into from
Oct 30, 2020
Merged

[Filebeat] Copy tag names from MISP data into event #21664

merged 1 commit into from
Oct 30, 2020

Conversation

hungnguyen-elastic
Copy link
Contributor

@hungnguyen-elastic hungnguyen-elastic commented Oct 7, 2020
edited by andrewkroh
Loading

What does this PR do?

This PR adds the code to convert MISP tags to Elastic event Tags. This will open up automation opportunity in Elastic from MISP.

Why is it important?

This will open up automation opportunity in Elastic from MISP. This also can allow threat content engineers to create threat matching or SIEM signal rules based on the MISP tags that are now added to the Elastic event through the MISP module

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 7, 2020
@cla-checker-service
Copy link

cla-checker-service bot commented Oct 7, 2020
edited
Loading

💚 CLA has been signed

@elasticmachine
Copy link
Collaborator

elasticmachine commented Oct 7, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #21664 updated]

  • Start Time: 2020-10-30T21:18:31.869+0000

  • Duration: 48 min 58 sec

Test stats 🧪

Test Results
Failed 0
Passed 1947
Skipped 259
Total 2206

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 8, 2020
andrewkroh
andrewkroh requested changes Oct 8, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @hungnguyen-elastic

  • Please add a JSON event to the test directory that contains this Tag field.
  • Add an entry to the CHANGELOG.next.asciidoc file under the Added/Filebeat section.
  • Update the golden test files (cd x-pack/filebeat; GENERATE=true PYTEST_ADDOPTS="-k misp" mage -v pythonIntegTest). If you have trouble we can do this step.

x-pack/filebeat/module/misp/threat/config/pipeline.js Outdated Show resolved Hide resolved
x-pack/filebeat/module/misp/threat/config/pipeline.js Outdated Show resolved Hide resolved
@hungnguyen-elastic @andrewkroh
Copy tag names from MISP data into events
3311ec4 
For each tag in the MISP data copy the name attribute into the `tags` array.
@andrewkroh andrewkroh changed the title adding setTags function to convert MISP tags to elastic event tags [Filebeat] Copy tag names from MISP data into event Oct 30, 2020
@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Oct 30, 2020
@elasticmachine
Copy link
Collaborator

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 1947
Skipped 259
Total 2206

@andrewkroh andrewkroh merged commit 1933672 into master Oct 30, 2020
@andrewkroh andrewkroh mentioned this pull request Oct 30, 2020
Merged
6 tasks
@andrewkroh andrewkroh removed the needs_backport PR is waiting to be backported to other branches. label Oct 30, 2020
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request Oct 30, 2020
@hungnguyen-elastic @andrewkroh
Copy tag names from MISP data into events (elastic#21664)
a3bdc0d 
For each tag in the MISP data copy the name attribute into the `tags` array.

(cherry picked from commit 1933672)
@hungnguyen-elastic
Copy link
Contributor Author

Thanks @andrewkroh

andrewkroh added a commit that referenced this pull request Nov 2, 2020
@andrewkroh @hungnguyen-elastic
Copy tag names from MISP data into events (#21664) (#22331)
aa23e12 
For each tag in the MISP data copy the name attribute into the `tags` array.

(cherry picked from commit 1933672)

Co-authored-by: hungnguyen-elastic <70958189+hungnguyen-elastic@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
enhancement Filebeat Filebeat review v7.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hungnguyen-elastic @elasticmachine @andrewkroh @andresrc