[SIEM] Update signals index ECS mapping to 1.6-dev, add endpoint alert fields #65740
Conversation
marshallmain
added
v8.0.0
release_note:skip
|
Pinging @elastic/endpoint-response (Team:Endpoint Response) |
|
@elasticmachine merge upstream |
|
Pinging @elastic/siem (Team:SIEM) |
marshallmain
force-pushed
the
add-alert-mapping
branch
from
0906b0a
to
a6a09c8
Compare
| @@ -2516,4 +4276,4 @@ | |||
| "refresh_interval": "5s" | |||
| } | |||
| } | |||
| } | |||
| } | |||
|
@elasticmachine merge upstream |
|
Tested by going to this directory: x-pack/plugins/siem/server/lib/detection_engine/scriptsAnd running: ./hard_reset.sh
./post_rule.sh
./post_rule.sh ./rules/queries/query_with_everything.jsonAnd then looking at each rule run and ensuring that the expected histograms and data looks correct. |
FrankHassanabad
added
release_note:enhancement
and removed
release_note:skip
FrankHassanabad
changed the title
|
@elasticmachine merge upstream |
| @@ -441,6 +444,141 @@ | |||
| } | |||
| } | |||
| }, | |||
| "dll": { | |||
| "properties": { | |||
| "code_signature": { | |||
There was a problem hiding this comment.
@marshallmain Are we going to address splitting these (trusted/untrusted) in a later PR?
There was a problem hiding this comment.
I'm hoping to address it with the ECS team. I think multiple code signatures is something we should address at the ECS level rather than making our own custom changes to it.
There was a problem hiding this comment.
Thinking about it more, addressing at the ECS level may take some time. I'd like to merge this so we can start and then merge more changes in future PRs.
|
@elasticmachine merge upstream |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
|
@marshallmain -- you should be good to backport to |
…t fields (elastic#65740) * update ECS schema to 1.6-dev, add endpoint alert fields * use updated endpoint team schemas * add newline * remove extra options Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
kibanamachine
added
the
backport missing
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
kibanamachine
removed
the
backport missing
…t fields (#65740) (#66789) * update ECS schema to 1.6-dev, add endpoint alert fields * use updated endpoint team schemas * add newline * remove extra options Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
This is a stopgap change to start integrating the SIEM signals schema with the endpoint alert schema. This schema was built using the ECS tooling and the custom yaml schemas found at https://github.com/elastic/endpoint-app-team/tree/master/custom_schemas. When the ECS tooling upgrades are finished (elastic/ecs#837 and elastic/ecs#820) we can add yml files for the signal fields and generate the entire mapping with the ECS tooling.
At some point we should move the yml files into the kibana in the SIEM folder, but when we do we should remove them from the endpoint-app-team repo so we don't have multiple copies that could be out of sync.
Checklist
Delete any items that are not applicable to this PR.
For maintainers