Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Meta] support new ECS 1.6 fields #19472

Closed
20 of 22 tasks
leehinman opened this issue Jun 26, 2020 · 3 comments
Closed
20 of 22 tasks

[Meta] support new ECS 1.6 fields #19472

leehinman opened this issue Jun 26, 2020 · 3 comments
Labels
ecs Epic meta

Comments

@leehinman
Copy link
Contributor

leehinman commented Jun 26, 2020
edited by marc-gr
Loading

Support new ECS 1.6 fields

add support for new ECS fields from elastic/ecs#930 1.6.0 Changelog

Describe the enhancement:
elastic/ecs#762 ECS added support for storing common core fields
of X509 certificates. The following data sources should be looked at
to see if they can take advantage of the new fields:

  • Filebeat checkpoint/firewall
  • Filebeat fortinet/firewall
  • Filebeat santa/log
  • Filebeat suricata/eve
  • Filebeat zeek/kerberos
  • Filebeat zeek/ssl
  • Filebeat zeek/x509
  • Heartbeat (was done)
  • Packetbeat (most of the work already done)
  • Winlogbeat (CA event logs, Certificate lifecycle, etc.)
  • review others to double check we didn't miss anything

Describe the enhancement:
elastic/ecs#763 added architecture & imphash for PE field set

  • Winlogbeat sysmon imphash

Describe the enhancement:
elastic/ecs#816 Added more account and project cloud metadata.

  • AWS
  • GCP
  • Azure

Describe the enhancement:
elastic/ecs#907 Added event.reason for the reason why an event's
outcome or action was taken.

Describe the enhancement:
elastic/ecs#913 Added related.hosts to capture all hostnames and
host identifiers on an event.

  • rsa2elk modules
  • Filebeat panw
  • Filebeat osquery
  • Filebeat system
  • Filebeat microsoft/defender_atp
  • Filebeat suricat
  • Filebeat cisco

Describe the enhancement:
elastic/ecs#917 Added user.roles to capture a list of role names
that apply to the user.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 26, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 26, 2020
@leehinman leehinman changed the title [Meta] Make use of ECS multiple users in event fields [Meta] support new ECS 1.6 fields Jun 29, 2020
This was referenced Aug 26, 2020
Merged
Merged
Merged
Merged
This was referenced Sep 2, 2020
Merged
Merged
This was referenced Sep 3, 2020
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Sep 18, 2020
Merged
Merged
@andrewkroh
Copy link
Member

It looks like we have made all of the necessary changes to support 1.6. I think we should now bump the ecs.version on all the modules that did not need changes.

andrewkroh added a commit to andrewkroh/beats that referenced this issue Oct 1, 2020
@andrewkroh
Bump version to ECS 1.6 in modules without ECS updates
d7ccef1 
For the Filebeat modules that required no changes to move to ECS 1.6 this updates the ecs.version field from 1.5.0 to 1.6.0.

And update the ecs.version for Auditbeat, Packetbeat, and Winlogbeat.

Relates elastic#19472
@andrewkroh andrewkroh mentioned this issue Oct 1, 2020
Merged
2 tasks
@andrewkroh
Copy link
Member

I opened #21455 to update the version in Filebeat modules that required no changes, Winlogbeat, Auditbeat, and Packetbeat.

andrewkroh added a commit that referenced this issue Oct 4, 2020
@andrewkroh
Bump version to ECS 1.6 in modules without ECS updates (#21455)
e9cb70f 
For the Filebeat modules that required no changes to move to ECS 1.6 this updates the ecs.version field from 1.5.0 to 1.6.0.

And update the ecs.version for Auditbeat, Packetbeat, and Winlogbeat.

Relates #19472
@blakerouse blakerouse mentioned this issue Feb 22, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ecs Epic meta
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andrewkroh @elasticmachine @leehinman @jamiehynds