Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ECS] Upgrade modules to 1.7 #21674

Closed
marc-gr opened this issue Oct 8, 2020 · 6 comments
Closed

[ECS] Upgrade modules to 1.7 #21674

marc-gr opened this issue Oct 8, 2020 · 6 comments

Comments

@marc-gr
Copy link
Contributor

marc-gr commented Oct 8, 2020

Required changes to upgrade beats modules to 1.7:

Using https://github.com/elastic/ecs-dev/issues/199 as reference:

Experimental

Use of basic types with wildcard elastic/dev#1508 elastic/ecs#970:
(important note: Going with option 2 will require each Beat to implement this fallback mechanism to replace wildcard to keyword, when posting an index template to Elasticsearch.)

Multiple users in an event elastic/ecs#914
  • Auditbeat
  • Packetbeat
  • Winlogbeat
  • Filebeat auditd
  • Filebeat rsa2elk modules
  • Filebeat checkpoint firewall
  • Filebeat cisco asa
  • Filebeat cef
  • Filebeat cisco ftd
  • Filebeat cisco umbrella
  • Filebeat citrix netscaler
  • Filebeat f5
  • Filebeat crowdstrike falcon
  • Filebeat fortinet clientendpoint
  • Filebeat fortinet firewall
  • Filebeat fortinet fortimail
  • Filebeat fortinet fortimanager
  • Filebeat googlecloud audit
  • Filebeat microsoft
  • Filebeat Gsuite
  • Filebeat o365
  • Filebeat zoom
  • Filebeat okta
  • Filebeat aws cloudtrail
  • Filebeat barracuda
  • Filebeat s3
  • Filebeat juniper
  • Filebeat netscout
  • Filebeat panw
  • Filebeat snort
  • Filebeat sonicwall
  • Filebeat sophos
  • Filebeat zeek irc
  • Filebeat zeek kerberos
  • Filebeat zeek ntlm
  • Filebeat zeek radius
  • Filebeat zeek webhook

Additions in 1.7:

New ingress and egress allowed values for network.direction elastic/ecs#945:

HTTP request/response mime type elastic/ecs#944:
(important note: needs to analyze body)

  • Packetbeat ([Processors] Mime-Type Detection #22940)
  • Hearbeat ([Heartbeat] Add mime type detection #22976)
  • Filebeat elasticsearch ([Filebeat] Add mime type detection for Elasticsearch module #22975)
  • Filebeat o365 (doesn't capture request/response body)
  • Filebeat gsuite (doesn't capture request/response body)
  • Filebeat suricata eve (doesn't capture request/response body)
  • Filebeat rsa2elk modules (doesn't capture request/response body)
  • Filebeat checkpoint firewall (doesn't capture request/response body)
  • Filebeat cef (doesn't capture request/response body)
  • Filebeat cisco ftd (doesn't capture request/response body)
  • Filebeat cisco umbrella (doesn't capture request/response body)
  • Filebeat fortinet clientendpoint (doesn't capture request/response body)
  • Filebeat fortinet firewall (doesn't capture request/response body)
  • Filebeat fortinet fortimail (doesn't capture request/response body)
  • Filebeat fortinet fortimanager (doesn't capture request/response body)
  • Filebeat panw panos (doesn't capture request/response body)
  • Filebeat sophos xg (doesn't capture request/response body)
  • Filebeat zeek http (doesn't capture request/response body)

New allowed value configuration for event.category elastic/ecs#963:

Add subdomain domain breakdown across all domain breakdowns (currently only in dns) elastic/ecs#981:

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@webmat
Copy link
Contributor

webmat commented Oct 8, 2020

@marc-gr If the team would rather tackle only 1/2 of the experimental changes (e.g. only wildcard), you're welcome to do so.

Me or @ebeahan can help you get the artifacts you need, to only grab the relevant experimental changes, rather than both changes at once.

@marc-gr
Copy link
Contributor Author

marc-gr commented Oct 13, 2020

@jamiehynds maybe can give some input about what we want to do with the experimental changes

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds
Copy link

@jamiehynds maybe can give some input about what we want to do with the experimental changes

Discussed with @epixa and @andrewkroh yesterday. Adopting multi-user and wildcard is something we'd like to do. Once we have a clearer picture on affected modules and level of effort, we can prioritise which modules to focus on for 7.11.

leehinman added a commit to leehinman/beats that referenced this issue Dec 8, 2020
- "external" when traffic src and dst are in 'WAN' zone

Relates elastic#21674
leehinman added a commit that referenced this issue Dec 8, 2020
…22973)

* improve logic for network.direction in sophos xg fileset

- "external" when traffic src and dst are in 'WAN' zone

Relates #21674

* Update CHANGELOG.next.asciidoc

Co-authored-by: Andrew Kroh <[email protected]>

Co-authored-by: Andrew Kroh <[email protected]>
leehinman added a commit that referenced this issue Dec 9, 2020
* panos config option to set internal/external zones

- default internal zone is "trust"
- default external zone is "untrust"
- allows for user to define zones for determining network.direction

Relates #21674
leehinman added a commit to leehinman/beats that referenced this issue Dec 9, 2020
…c#22998)

* panos config option to set internal/external zones

- default internal zone is "trust"
- default external zone is "untrust"
- allows for user to define zones for determining network.direction

Relates elastic#21674

(cherry picked from commit 7b7bbe9)
leehinman added a commit that referenced this issue Dec 9, 2020
#23037)

* panos config option to set internal/external zones

- default internal zone is "trust"
- default external zone is "untrust"
- allows for user to define zones for determining network.direction

Relates #21674

(cherry picked from commit 7b7bbe9)
leehinman added a commit that referenced this issue Dec 10, 2020
…22973) (#22989)

* improve logic for network.direction in sophos xg fileset

- "external" when traffic src and dst are in 'WAN' zone

Relates #21674

* Update CHANGELOG.next.asciidoc

Co-authored-by: Andrew Kroh <[email protected]>

Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit db4830b)
@andrewstucki
Copy link

Closing this since we're done and moving on to 1.8 upgrade

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants