[Filebeat] Improve ECS categorization field mappings in googlecloud module #16500

leehinman · 2020-02-21T21:44:57Z

audit
- event.id
- event.action
- event.kind
firewall
- event.kind
- event.category
- event.type
- event.action
- event.id
- rule.name
vpcflow
- event.kind
- event.category
- event.type
- event.id

Closes #16030

elasticmachine · 2020-02-21T21:45:00Z

Pinging @elastic/siem (Team:SIEM)

andrewkroh

I think this fully addresses #15651 too. So that can be closed by this.

andrewkroh · 2020-02-22T02:25:57Z

x-pack/filebeat/module/googlecloud/audit/config/pipeline.js

@@ -123,8 +125,9 @@ function Audit(keep_original_message) {
        }
    };

-    // Set event.outcome based on authentication_info and status.
-    var setEventOutcome = function(evt) {
+    // Set ECS categorization fields


This documentation no longer reads so well. Maybe it just needs a period?

andrewkroh · 2020-02-22T02:36:32Z

x-pack/filebeat/module/googlecloud/audit/config/pipeline.js

@@ -38,6 +38,7 @@ function Audit(keep_original_message) {
    var saveMetadata = new processor.Convert({
        fields: [
            {from: "json.logName", to: "log.logger"},
+            {from: "json.insertId", to: "event.id"},


The pubsub input sets this field already but this is a better value.

+ audit - event.id - event.action - event.kind + firewall - event.kind - event.category - event.type - event.action - event.id - rule.name + vpcflow - event.kind - event.category - event.type - event.id Closes elastic#16030 Closes elastic#15651

…odule (elastic#16500) + audit - event.id - event.action - event.kind + firewall - event.kind - event.category - event.type - event.action - event.id - rule.name + vpcflow - event.kind - event.category - event.type - event.id Closes elastic#16030 Closes elastic#15651 (cherry picked from commit e1fa198)

…odule (#16500) (#16528) + audit - event.id - event.action - event.kind + firewall - event.kind - event.category - event.type - event.action - event.id - rule.name + vpcflow - event.kind - event.category - event.type - event.id Closes #16030 Closes #15651 (cherry picked from commit e1fa198)

leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM ecs labels Feb 21, 2020

leehinman requested a review from a team as a code owner February 21, 2020 21:44

leehinman force-pushed the 16160_googlecloud_ecs_1.4 branch from b6aff0b to 1aac440 Compare February 21, 2020 21:45

andrewkroh approved these changes Feb 22, 2020

View reviewed changes

leehinman force-pushed the 16160_googlecloud_ecs_1.4 branch from 1aac440 to 01d7cd2 Compare February 24, 2020 15:38

leehinman merged commit e1fa198 into elastic:master Feb 24, 2020

leehinman mentioned this pull request Feb 24, 2020

Cherry-pick #16500 to 7.x: [Filebeat] Improve ECS categorization field mappings in googlecloud module #16528

Merged

leehinman added v7.7.0 and removed needs_backport PR is waiting to be backported to other branches. labels Feb 24, 2020

leehinman deleted the 16160_googlecloud_ecs_1.4 branch February 24, 2020 19:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Filebeat] Improve ECS categorization field mappings in googlecloud module #16500

[Filebeat] Improve ECS categorization field mappings in googlecloud module #16500

leehinman commented Feb 21, 2020

elasticmachine commented Feb 21, 2020

andrewkroh left a comment

andrewkroh Feb 22, 2020

andrewkroh Feb 22, 2020

[Filebeat] Improve ECS categorization field mappings in googlecloud module #16500

[Filebeat] Improve ECS categorization field mappings in googlecloud module #16500

Conversation

leehinman commented Feb 21, 2020

elasticmachine commented Feb 21, 2020

andrewkroh left a comment

Choose a reason for hiding this comment

andrewkroh Feb 22, 2020

Choose a reason for hiding this comment

andrewkroh Feb 22, 2020

Choose a reason for hiding this comment