-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ECS] Upgrade modules to 1.7 #21674
Comments
Pinging @elastic/siem (Team:SIEM) |
@jamiehynds maybe can give some input about what we want to do with the experimental changes |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Discussed with @epixa and @andrewkroh yesterday. Adopting multi-user and wildcard is something we'd like to do. Once we have a clearer picture on affected modules and level of effort, we can prioritise which modules to focus on for 7.11. |
- "external" when traffic src and dst are in 'WAN' zone Relates elastic#21674
…22973) * improve logic for network.direction in sophos xg fileset - "external" when traffic src and dst are in 'WAN' zone Relates #21674 * Update CHANGELOG.next.asciidoc Co-authored-by: Andrew Kroh <[email protected]> Co-authored-by: Andrew Kroh <[email protected]>
* panos config option to set internal/external zones - default internal zone is "trust" - default external zone is "untrust" - allows for user to define zones for determining network.direction Relates #21674
…c#22998) * panos config option to set internal/external zones - default internal zone is "trust" - default external zone is "untrust" - allows for user to define zones for determining network.direction Relates elastic#21674 (cherry picked from commit 7b7bbe9)
…22973) (#22989) * improve logic for network.direction in sophos xg fileset - "external" when traffic src and dst are in 'WAN' zone Relates #21674 * Update CHANGELOG.next.asciidoc Co-authored-by: Andrew Kroh <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit db4830b)
Closing this since we're done and moving on to 1.8 upgrade |
Required changes to upgrade beats modules to 1.7:
Using https://github.com/elastic/ecs-dev/issues/199 as reference:
Experimental
Use of basic types with wildcard elastic/dev#1508 elastic/ecs#970:
(important note: Going with option 2 will require each Beat to implement this fallback mechanism to replace wildcard to keyword, when posting an index template to Elasticsearch.)
Multiple users in an event elastic/ecs#914
Additions in 1.7:
New
ingress
andegress
allowed values fornetwork.direction
elastic/ecs#945:Filebeat cisco umbrella(waiting on CIDR matching processors/painless support in elasticsearch Painless convenience function for matching IP addresses elasticsearch#60668)Filebeat rsa2elk modules(@adriansr) (need to add individual module configuration support, see Add network.direction classification to rsa2elk modules #23114)HTTP request/response mime type elastic/ecs#944:
(important note: needs to analyze body)
Filebeat o365(doesn't capture request/response body)Filebeat gsuite(doesn't capture request/response body)Filebeat suricata eve(doesn't capture request/response body)Filebeat rsa2elk modules(doesn't capture request/response body)Filebeat checkpoint firewall(doesn't capture request/response body)Filebeat cef(doesn't capture request/response body)Filebeat cisco ftd(doesn't capture request/response body)Filebeat cisco umbrella(doesn't capture request/response body)Filebeat fortinet clientendpoint(doesn't capture request/response body)Filebeat fortinet firewall(doesn't capture request/response body)Filebeat fortinet fortimail(doesn't capture request/response body)Filebeat fortinet fortimanager(doesn't capture request/response body)Filebeat panw panos(doesn't capture request/response body)Filebeat sophos xg(doesn't capture request/response body)Filebeat zeek http(doesn't capture request/response body)New allowed value
configuration
forevent.category
elastic/ecs#963:Auditbeat system(no configuration events to be classified)Filebeat Okta(no configuration events to be classified)Filebeat microsoft(check if rsa2elk microsoft modules need updating)Filebeat rsa2elk modules(currently we don't do any event categorization)Add
subdomain
domain breakdown across all domain breakdowns (currently only indns
) elastic/ecs#981:Packetbeat(seems done fordns
)The text was updated successfully, but these errors were encountered: