Skip to content

Commit

Permalink
[tanium] Map extra fields, set event.kind for alerts (elastic#12055)
Browse files Browse the repository at this point in the history 
- Map extra fields from the new default `threat_response` format.
- Set `event.kind` as a scalar not an array.
- Set `event.kind` to `alert` if an alert ID is present.
  • Loading branch information
@chrisberkhout
chrisberkhout authored Dec 12, 2024
1 parent 092dc86 commit 29e29a1
Show file tree
Hide file tree
Showing 12 changed files with 150 additions and 157 deletions.
5 changes: 5 additions & 0 deletions packages/tanium/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.12.0"
changes:
- description: Map extra fields, set event.kind for alerts.
type: enhancement
link: https://github.com/elastic/integrations/pull/12055
- version: "1.11.0"
changes:
- description: Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".
Expand Down
1 change: 1 addition & 0 deletions packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-common-config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ fields:
- preserve_duplicate_custom_fields
numeric_keyword_fields:
- tanium.threat_response.id
- tanium.threat_response.intel_id
- tanium.threat_response.match_details.config_id
- tanium.threat_response.match_details.config_rev_id
- tanium.threat_response.match_details.finding.whats.intel_intra_ids.id
Expand Down
10 changes: 7 additions & 3 deletions packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-deep.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,7 @@
"category": [
"host"
],
"kind": [
"event"
],
"kind": "alert",
"original": "{\"Alert Id\":\"00000000-0000-0000-9a55-325096b39f47\",\"Timestamp\":\"2024-12-02T16:43:02.609Z\",\"Computer Name\":\"hostname.example.com\",\"Computer IP\":\"67.43.156.65\",\"Intel Id\":714,\"Intel Type\":\"openioc\",\"Intel Name\":\"ELK - Linux Test ALert\",\"Intel Labels\":\"\",\"Match Details\":{\"match\":{\"hash\":\"01234567890123456789\",\"type\":\"port\",\"source\":\"threatresponse_database\",\"version\":1,\"properties\":{\"process\":{\"pid\":6460,\"args\":\"\\\"C:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-8.15.0-asdfas\\\\components\\\\agentbeat.exe\\\" filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E logging.level=info -E logging.to_stderr=true -E gc_percent=${FILEBEAT_GOGC:100} -E filebeat.config.modules.enabled=false -E logging.event_data.to_stderr=true -E logging.event_data.to_files=false -E http.enabled=true -E http.host=npipe:///asdfasdfasdfasdfasdfasdfasdfasdf.sock -E \\\"path.data=C:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-8.15.0-asdfas\\\\run\\\\filestream-monitoring\\\"\",\"file\":{\"fullpath\":\"C:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-8.15.0-25075f\\\\components\\\\agentbeat.exe\"},\"name\":\"agentbeat.exe\",\"ppid\":2536,\"user\":\"NT AUTHORITY\\\\SYSTEM\",\"start_time\":\"2024-12-01T07:33:51.000Z\",\"recorder_table_id\":\"01234567890123456\"},\"local_ip\":\"67.43.156.65\",\"remote_ip\":\"81.2.69.203\",\"local_port\":63123,\"remote_port\":443}},\"finding\":{\"whats\":[{\"source_name\":\"threatresponse_database\",\"intel_intra_ids\":[{\"id_v2\":\"1234567890123456789\"}],\"artifact_activity\":{\"relevant_actions\":[{\"target\":{\"port\":{\"process\":{\"process\":{\"pid\":6460,\"file\":{\"file\":{\"path\":\"C:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-8.15.0-asdfas\\\\components\\\\agentbeat.exe\",\"signature_data\":{\"issuer\":\"DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1\",\"status\":1,\"subject\":\"Elasticsearch, Inc.\"}},\"artifact_hash\":\"12345678901234567890\",\"instance_hash\":\"12345678901234562290\"},\"name\":\"agentbeat.exe\",\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\",\"user_id\":\"user-o-1\"}},\"parent\":{\"process\":{\"pid\":2536,\"file\":{\"file\":{\"path\":\"C:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-8.15.0-asdfas\\\\elastic-agent.exe\",\"signature_data\":{\"issuer\":\"DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1\",\"status\":1,\"subject\":\"Elasticsearch, Inc.\"}},\"artifact_hash\":\"8123456789012345678\",\"instance_hash\":\"8123456789012345678\"},\"name\":\"elastic-agent.exe\",\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\",\"user_id\":\"uaer-o-1\"}},\"parent\":{\"process\":{\"pid\":824,\"file\":{\"file\":{\"path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"signature_data\":{\"status\":11}},\"artifact_hash\":\"3123456789123456789\",\"instance_hash\":\"3123456789123456789\"},\"name\":\"services.exe\",\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\",\"user_id\":\"user-o-1\"}},\"parent\":{\"process\":{\"pid\":680,\"file\":{\"file\":{\"path\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\",\"signature_data\":{\"status\":11}},\"artifact_hash\":\"11234567890123456789\",\"instance_hash\":\"11234567890123456789\"},\"name\":\"wininit.exe\",\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\",\"user_id\":\"user-o-1\"}},\"parent\":{\"process\":{\"handles\":[],\"tanium_recorder_table_id\":\"12345678901234567\"},\"artifact_hash\":\"812345678901234567\",\"instance_hash\":\"5123456789012345678\"},\"handles\":[],\"arguments\":\"wininit.exe\",\"start_time\":\"2024-12-01T07:33:27.000Z\",\"tanium_recorder_table_id\":\"12345678901234567\"},\"artifact_hash\":\"41234567890123456789\",\"instance_hash\":\"11234567890123456789\"},\"handles\":[],\"arguments\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"start_time\":\"2024-12-01T07:33:27.000Z\",\"tanium_recorder_table_id\":\"71234567890123456\"},\"artifact_hash\":\"8123456789012345678\",\"instance_hash\":\"11234567890123456789\"},\"handles\":[],\"arguments\":\"\\\"C:\\\\Program Files\\\\Elastic\\\\Agent\\\\elastic-agent.exe\\\"\",\"start_time\":\"2024-12-01T07:33:30.000Z\",\"tanium_recorder_table_id\":\"41234567890123456\"},\"artifact_hash\":\"41234556767890123456\",\"instance_hash\":\"31234234563456734564\"},\"handles\":[],\"arguments\":\"\\\"C:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-8.15.0-asdfas\\\\components\\\\agentbeat.exe\\\" filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E logging.level=info -E logging.to_stderr=true -E gc_percent=${FILEBEAT_GOGC:100} -E filebeat.config.modules.enabled=false -E logging.event_data.to_stderr=true -E logging.event_data.to_files=false -E http.enabled=true -E http.host=npipe:///asdfasdfasdfasdfasdfasfdasdfasdf.sock -E \\\"path.data=C:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-8.15.0-asdfas\\\\run\\\\filestream-monitoring\\\"\",\"start_time\":\"2024-12-01T07:33:51.000Z\",\"tanium_recorder_table_id\":\"41234567890123456\"},\"artifact_hash\":\"51234567890123455677\",\"instance_hash\":\"2123456789012345678\"},\"local_ip\":\"67.43.156.65\",\"remote_ip\":\"81.2.69.203\",\"local_port\":63123,\"remote_port\":443,\"connection_time\":\"2024-12-01T16:39:15.000Z\"},\"artifact_hash\":\"61234567890123456789\",\"instance_hash\":\"9123456789012345678\",\"is_intel_target\":true}}]}}],\"domain\":\"threatresponse\",\"hunt_id\":\"hunt:1000123\",\"intel_id\":\"731:3:8bb9caea-3c2c-487c-898c-ebbbf7e4ac55\",\"last_seen\":\"2024-12-01T16:39:19.000Z\",\"threat_id\":\"2123456789012345678\",\"finding_id\":\"5212345678901234567\",\"first_seen\":\"2024-12-01T16:39:19.000Z\",\"source_name\":\"threatresponse_database\",\"system_info\":{\"os\":\"Microsoft Windows Server 2022 Datacenter\",\"bits\":64,\"platform\":\"Windows\",\"patch_level\":\"10.0.20111.0.0\",\"build_number\":\"20321\"},\"reporting_id\":\"hunt:1000111\"},\"intel_id\":714,\"config_id\":1000111,\"config_rev_id\":1},\"MITRE Techniques\":\"[]\",\"Impact Score\":4,\"Link\":\"https://tanium.example.com/#/threatresponse/alerts?guid=b80e010f-bf27-41b8-b028-7f7eb4cbe12b\"}",
"type": [
"info"
Expand Down Expand Up @@ -42,10 +40,16 @@
],
"tanium": {
"threat_response": {
"alert_id": "00000000-0000-0000-9a55-325096b39f47",
"computer": {
"ip": "67.43.156.65",
"name": "hostname.example.com"
},
"impact_score": 4,
"intel_id": 714,
"intel_name": "ELK - Linux Test ALert",
"intel_type": "openioc",
"link": "https://tanium.example.com/#/threatresponse/alerts?guid=b80e010f-bf27-41b8-b028-7f7eb4cbe12b",
"match_details": {
"config_id": 1000111,
"config_rev_id": 1,
Expand Down
9 changes: 6 additions & 3 deletions ...m/threat_response/_dev/test/pipeline/test-match-details-empty-map-value.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,7 @@
"category": [
"host"
],
"kind": [
"event"
],
"kind": "alert",
"original": "{\"Alert Id\":\"00000000-0000-0000-bff7-f47bab566416\",\"Timestamp\":\"2024-12-01T14:13:14.840Z\",\"Computer Name\":\"hostname.example.com\",\"Computer IP\":\"216.160.83.60\",\"Intel Id\":715,\"Intel Type\":\"openioc\",\"Intel Name\":\"ELK - Linux Test ALert 2 /tmp/iambadvirus.vrs\",\"Intel Labels\":\"\",\"Match Details\":{\"match\":{\"hash\":\"17609926402141399576\",\"type\":\"file\",\"source\":\"at_rest\",\"version\":1,\"properties\":{\"md5\":\"affc5518d1994201d1659890fde69ebb\",\"sha1\":\"3adbbe3ea108260e955fa9ef66355576dabb0e84\",\"sha256\":\"f2f58f9bf1732a38ff996cbfab59ef79b11b67124ed58b8764eb6985d096a23a\",\"fullpath\":\"/tmp/iambadvirus.vrs\"}},\"finding\":{\"whats\":[{\"source_name\":\"at_rest\",\"intel_intra_ids\":[{\"id_v2\":\"51234567891234567890\"}],\"artifact_activity\":{\"relevant_actions\":[{\"target\":{\"file\":{\"hash\":{\"md5\":\"affc5518d1994201d1659890fde69ebb\",\"sha1\":\"3adbbe3ea108260e955fa9ef66355576dabb0e84\",\"sha256\":\"f2f58f9bf1732a38ff996cbfab59ef79b11b67124ed58b8764eb6985d096a23a\"},\"path\":\"/tmp/iambadvirus.vrs\",\"size_bytes\":{},\"magic_number_hex\":{},\"modification_time\":\"2024-12-01T20:25:32.000Z\",\"instance_hash_salt\":\"5432\"},\"artifact_hash\":\"61234567890123456789\",\"instance_hash\":\"7123456778980123456\",\"is_intel_target\":true}}]}}],\"domain\":\"threatresponse\",\"hunt_id\":\"hunt:1000123\",\"intel_id\":\"715:4:8de17746-8210-4ab3-87d2-221ffa7e5dc0\",\"last_seen\":\"2024-12-04T14:10:17.000Z\",\"threat_id\":\"51234567890123456789\",\"finding_id\":\"6123456788901234567\",\"first_seen\":\"2024-12-01T14:10:17.000Z\",\"source_name\":\"at_rest\",\"system_info\":{\"os\":\"Rocky Linux release 9.4 (Blue Onyx)\",\"bits\":64,\"platform\":\"Linux\"},\"reporting_id\":\"hunt:1000123\"},\"intel_id\":715,\"config_id\":1000123,\"config_rev_id\":1},\"MITRE Techniques\":\"[]\",\"Impact Score\":\"\",\"Link\":\"https://tanium.hostname.example.com/#/threatresponse/alerts?guid=00000000-0000-0000-bff7-f47bab566416\"}",
"type": [
"info"
Expand Down Expand Up @@ -47,10 +45,15 @@
],
"tanium": {
"threat_response": {
"alert_id": "00000000-0000-0000-bff7-f47bab566416",
"computer": {
"ip": "216.160.83.60",
"name": "hostname.example.com"
},
"intel_id": 715,
"intel_name": "ELK - Linux Test ALert 2 /tmp/iambadvirus.vrs",
"intel_type": "openioc",
"link": "https://tanium.hostname.example.com/#/threatresponse/alerts?guid=00000000-0000-0000-bff7-f47bab566416",
"match_details": {
"config_id": 1000123,
"config_rev_id": 1,
Expand Down
9 changes: 6 additions & 3 deletions .../tanium/data_stream/threat_response/_dev/test/pipeline/test-new-default.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,7 @@
"category": [
"host"
],
"kind": [
"event"
],
"kind": "alert",
"original": "{\"Alert Id\":\"00000000-0000-0000-a8b0-00cd73a5b9d0\",\"Timestamp\":\"2024-12-01T14:20:00.370Z\",\"Computer Name\":\"hostname.example.com\",\"Computer IP\":\"216.160.83.60\",\"Intel Id\":715,\"Intel Type\":\"openioc\",\"Intel Name\":\"ELK - Linux Test ALert 2 /tmp/iambadvirus.vrs\",\"Intel Labels\":\"\",\"Match Details\":{\"match\":{\"hash\":\"61234567890123456789\",\"type\":\"file\",\"source\":\"at_rest\",\"version\":1,\"properties\":{\"md5\":\"02addf15dea00c97050cc5f08d095e65\",\"sha1\":\"8290fd02d831086c007e95e9ee07481337f4dcef\",\"size\":\"69\",\"sha256\":\"b62aff44a248c9934fc9c0daefe3926c347a260bdb4ef59d0a77e6db4be9c786\",\"fullpath\":\"/tmp/verybadvirus.vrs\"}},\"finding\":{\"whats\":[{\"source_name\":\"at_rest\",\"intel_intra_ids\":[{\"id_v2\":\"11234567890123456789\"}],\"artifact_activity\":{\"relevant_actions\":[{\"target\":{\"file\":{\"hash\":{\"md5\":\"02addf15dea00c97050cc5f08d095e65\",\"sha1\":\"8290fd02d831086c007e95e9ee07481337f4dcef\",\"sha256\":\"b62aff44a248c9934fc9c0daefe3926c347a260bdb4ef59d0a77e6db4be9c786\"},\"path\":\"/tmp/verybadvirus.vrs\",\"size_bytes\":\"69\",\"magic_number_hex\":\"23098420\",\"modification_time\":\"2024-12-01T17:42:10.000Z\",\"instance_hash_salt\":\"1234\"},\"artifact_hash\":\"61234567890123456789\",\"instance_hash\":\"1123456789012345678\",\"is_intel_target\":true}}]}}],\"domain\":\"threatresponse\",\"hunt_id\":\"hunt:1000123\",\"intel_id\":\"715:4:b70b41e7-e698-451a-a7e8-b7524a6e6c3c\",\"last_seen\":\"2024-12-01T14:15:25.000Z\",\"threat_id\":\"56112345667882345566\",\"finding_id\":\"712345678901234567\",\"first_seen\":\"2024-12-01T14:15:25.000Z\",\"source_name\":\"at_rest\",\"system_info\":{\"os\":\"Rocky Linux release 9.4 (Blue Onyx)\",\"bits\":64,\"platform\":\"Linux\"},\"reporting_id\":\"hunt:1000123\"},\"intel_id\":715,\"config_id\":1000123,\"config_rev_id\":1},\"MITRE Techniques\":\"[]\",\"Impact Score\":\"\",\"Link\":\"https://tanium.example.com/#/threatresponse/alerts?guid=00000000-0000-0000-a8b0-00cd73a5b9d0\"}",
"type": [
"info"
Expand Down Expand Up @@ -47,10 +45,15 @@
],
"tanium": {
"threat_response": {
"alert_id": "00000000-0000-0000-a8b0-00cd73a5b9d0",
"computer": {
"ip": "216.160.83.60",
"name": "hostname.example.com"
},
"intel_id": 715,
"intel_name": "ELK - Linux Test ALert 2 /tmp/iambadvirus.vrs",
"intel_type": "openioc",
"link": "https://tanium.example.com/#/threatresponse/alerts?guid=00000000-0000-0000-a8b0-00cd73a5b9d0",
"match_details": {
"config_id": 1000123,
"config_rev_id": 1,
Expand Down
Loading

0 comments on commit 29e29a1

Please sign in to comment.