diff --git a/packages/cisco_amp/_dev/build/docs/README.md b/packages/cisco_amp/_dev/build/docs/README.md deleted file mode 100644 index 2d934ee3a94..00000000000 --- a/packages/cisco_amp/_dev/build/docs/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# Cisco AMP Integration - -This integration is for Cisco AMP logs. It includes the following -datasets for receiving logs over syslog or read from a file: - -- `log` dataset: supports Cisco AMP logs. - -## Logs - -### AMP - -The `log` dataset collects Cisco AMP logs. - -{{event "log"}} - -{{fields "log"}} diff --git a/packages/cisco_amp/manifest.yml b/packages/cisco_amp/manifest.yml deleted file mode 100644 index e601af7c7f9..00000000000 --- a/packages/cisco_amp/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: cisco_amp -title: Cisco AMP -version: 0.0.1 -license: basic -description: This Elastic integration collects logs from Cisco AMP network devices -type: integration -categories: - - network - - security -release: experimental -conditions: - kibana.version: "^7.16.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_amp - title: Cisco AMP logs - description: Collect logs from Cisco AMP - inputs: - - type: httpjson - title: Collect logs from Cisco AMP API - description: Collecting logs from Cisco AMP API -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_amp/_dev/build/build.yml b/packages/cisco_secure_endpoint/_dev/build/build.yml similarity index 100% rename from packages/cisco_amp/_dev/build/build.yml rename to packages/cisco_secure_endpoint/_dev/build/build.yml diff --git a/packages/cisco_secure_endpoint/_dev/build/docs/README.md b/packages/cisco_secure_endpoint/_dev/build/docs/README.md new file mode 100644 index 00000000000..ed51d2fb1c3 --- /dev/null +++ b/packages/cisco_secure_endpoint/_dev/build/docs/README.md @@ -0,0 +1,16 @@ +# Cisco Secure Endpoint Integration + +This integration is for Cisco Secure Endpoint logs. It includes the following +datasets for receiving logs over syslog or read from a file: + +- `log` dataset: supports Cisco Secure Endpoint logs. + +## Logs + +### Secure Endpoint + +The `log` dataset collects Cisco Secure Endpoint logs. + +{{event "log"}} + +{{fields "log"}} diff --git a/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml similarity index 91% rename from packages/cisco_amp/_dev/deploy/docker/docker-compose.yml rename to packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml index a438beca546..066c8b4bd39 100644 --- a/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml +++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml @@ -1,6 +1,6 @@ version: '2.3' services: - amp: + cisco_secure_endpoint: image: docker.elastic.co/observability/stream:v0.5.0 ports: - 8080 diff --git a/packages/cisco_amp/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml similarity index 100% rename from packages/cisco_amp/_dev/deploy/docker/files/config.yml rename to packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml diff --git a/packages/cisco_amp/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml similarity index 90% rename from packages/cisco_amp/changelog.yml rename to packages/cisco_secure_endpoint/changelog.yml index 5a5fc28efef..a4992dc5226 100644 --- a/packages/cisco_amp/changelog.yml +++ b/packages/cisco_secure_endpoint/changelog.yml @@ -1,5 +1,5 @@ # newer versions go on top -- version: "0.0.1" +- version: "0.1.0" changes: - description: Initial migration from Filebeat Module type: enhancement diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-common-config.yml similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-common-config.yml diff --git a/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml similarity index 87% rename from packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml index 1d250dd622a..0b7cb39fbaf 100644 --- a/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml +++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml @@ -1,5 +1,5 @@ input: httpjson -service: amp +service: cisco_secure_endpoint vars: ~ data_stream: vars: diff --git a/packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/data_stream/log/agent/stream/httpjson.yml.hbs similarity index 100% rename from packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs rename to packages/cisco_secure_endpoint/data_stream/log/agent/stream/httpjson.yml.hbs diff --git a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml similarity index 62% rename from packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml rename to packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 0deeae80697..de81b74bce5 100644 --- a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for parsing Cisco AMP logs +description: Pipeline for parsing Cisco Secure Endpoint logs processors: - rename: field: message @@ -14,10 +14,10 @@ processors: ######################### - rename: field: json.data - target_field: cisco.amp + target_field: cisco.secure_endpoint ignore_missing: true - date: - field: cisco.amp.timestamp + field: cisco.secure_endpoint.timestamp formats: - UNIX ignore_failure: true @@ -35,64 +35,64 @@ processors: field: event.kind value: alert - convert: - field: cisco.amp.id + field: cisco.secure_endpoint.id target_field: event.id type: string ignore_missing: true - append: field: event.category value: file - if: ctx?.cisco?.amp?.file?.file_name != null + if: ctx?.cisco?.secure_endpoint?.file?.file_name != null - append: field: event.category value: malware - if: 'ctx?.cisco?.amp?.file?.disposition == "Malicious"' + if: 'ctx?.cisco?.secure_endpoint?.file?.disposition == "Malicious"' - rename: - field: cisco.amp.event_type + field: cisco.secure_endpoint.event_type target_field: event.action ignore_missing: true - set: field: event.severity value: 1 - if: ctx?.cisco?.amp?.severity == 'Low' + if: ctx?.cisco?.secure_endpoint?.severity == 'Low' - set: field: event.severity value: 2 - if: ctx?.cisco?.amp?.severity == 'Medium' + if: ctx?.cisco?.secure_endpoint?.severity == 'Medium' - set: field: event.severity value: 3 - if: ctx?.cisco?.amp?.severity == 'High' + if: ctx?.cisco?.secure_endpoint?.severity == 'High' - set: field: event.severity value: 4 - if: ctx?.cisco?.amp?.severity == 'Critical' + if: ctx?.cisco?.secure_endpoint?.severity == 'Critical' - set: field: event.severity value: 0 - if: ctx?.cisco?.amp?.severity == null + if: ctx?.cisco?.secure_endpoint?.severity == null - date: - field: cisco.amp.start_timestamp + field: cisco.secure_endpoint.start_timestamp target_field: event.start formats: - UNIX ignore_failure: true - if: ctx?.cisco?.amp?.start_timestamp != null + if: ctx?.cisco?.secure_endpoint?.start_timestamp != null - rename: - field: cisco.amp.techniques - target_field: cisco.amp.mitre_techniques - if: "ctx?.cisco?.amp?.techniques != null && ctx?.cisco?.amp?.techniques.length > 0 && ctx?.cisco?.amp?.techniques[0] instanceof String" + field: cisco.secure_endpoint.techniques + target_field: cisco.secure_endpoint.mitre_techniques + if: "ctx?.cisco?.secure_endpoint?.techniques != null && ctx?.cisco?.secure_endpoint?.techniques.length > 0 && ctx?.cisco?.secure_endpoint?.techniques[0] instanceof String" - rename: - field: cisco.amp.tactics - target_field: cisco.amp.mitre_tactics - if: "ctx?.cisco?.amp?.tactics != null && ctx?.cisco?.amp?.tactics.length > 0 && ctx?.cisco?.amp?.tactics[0] instanceof String" + field: cisco.secure_endpoint.tactics + target_field: cisco.secure_endpoint.mitre_tactics + if: "ctx?.cisco?.secure_endpoint?.tactics != null && ctx?.cisco?.secure_endpoint?.tactics.length > 0 && ctx?.cisco?.secure_endpoint?.tactics[0] instanceof String" ###################### ## ECS Host Mapping ## ###################### - rename: - field: cisco.amp.computer.hostname + field: cisco.secure_endpoint.computer.hostname target_field: host.name ignore_missing: true - set: @@ -100,7 +100,7 @@ processors: value: "{{ host.name }}" if: ctx?.host?.name != null - rename: - field: cisco.amp.computer.user + field: cisco.secure_endpoint.computer.user target_field: host.user.name ignore_missing: true @@ -108,29 +108,29 @@ processors: ## ECS Network Mapping ## ######################### - rename: - field: cisco.amp.network_info.nfm.protocol + field: cisco.secure_endpoint.network_info.nfm.protocol target_field: network.transport ignore_missing: true - set: field: network.direction value: egress - if: "ctx?.cisco?.amp?.network_info?.nfm?.direction == 'Outgoing connection from'" + if: "ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction == 'Outgoing connection from'" - set: field: network.direction value: ingress - if: "ctx?.cisco?.amp?.network_info?.nfm?.direction != null && ctx?.cisco?.amp?.network_info?.nfm?.direction != 'Outgoing connection from'" + if: "ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction != null && ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction != 'Outgoing connection from'" ##################### ## ECS URL Mapping ## ##################### - uri_parts: - field: cisco.amp.network_info.dirty_url + field: cisco.secure_endpoint.network_info.dirty_url target_field: url keep_original: true remove_if_successful: true - if: ctx?.cisco?.amp?.network_info?.dirty_url != null + if: ctx?.cisco?.secure_endpoint?.network_info?.dirty_url != null - rename: - field: cisco.amp.network_info.dirty_url + field: cisco.secure_endpoint.network_info.dirty_url target_field: url.original ignore_missing: true @@ -138,11 +138,11 @@ processors: ## ECS Source Mapping ## ######################## - rename: - field: cisco.amp.network_info.local_ip + field: cisco.secure_endpoint.network_info.local_ip target_field: source.ip ignore_missing: true - rename: - field: cisco.amp.network_info.local_port + field: cisco.secure_endpoint.network_info.local_port target_field: source.port ignore_missing: true @@ -150,11 +150,11 @@ processors: ## ECS Destination Mapping ## ############################# - rename: - field: cisco.amp.network_info.remote_ip + field: cisco.secure_endpoint.network_info.remote_ip target_field: destination.ip ignore_missing: true - rename: - field: cisco.amp.network_info.remote_port + field: cisco.secure_endpoint.network_info.remote_port target_field: destination.port ignore_missing: true @@ -162,23 +162,23 @@ processors: ## ECS File Mapping ## ###################### - rename: - field: cisco.amp.file.file_name + field: cisco.secure_endpoint.file.file_name target_field: file.name ignore_missing: true - rename: - field: cisco.amp.file.file_path + field: cisco.secure_endpoint.file.file_path target_field: file.path ignore_missing: true - rename: - field: cisco.amp.file.identity.sha256 + field: cisco.secure_endpoint.file.identity.sha256 target_field: file.hash.sha256 ignore_missing: true - rename: - field: cisco.amp.file.identity.sha1 + field: cisco.secure_endpoint.file.identity.sha1 target_field: file.hash.sha1 ignore_missing: true - rename: - field: cisco.amp.file.identity.md5 + field: cisco.secure_endpoint.file.identity.md5 target_field: file.hash.md5 ignore_missing: true @@ -198,47 +198,47 @@ processors: ## ECS Process Mapping ## ######################### - rename: - field: cisco.amp.file.parent.process_id + field: cisco.secure_endpoint.file.parent.process_id target_field: process.pid ignore_missing: true - rename: - field: cisco.amp.network_info.parent.process_id + field: cisco.secure_endpoint.network_info.parent.process_id target_field: process.pid ignore_missing: true - rename: - field: cisco.amp.file.parent.file_name + field: cisco.secure_endpoint.file.parent.file_name target_field: process.name ignore_missing: true - rename: - field: cisco.amp.file.parent.identity.sha256 + field: cisco.secure_endpoint.file.parent.identity.sha256 target_field: process.hash.sha256 ignore_missing: true - rename: - field: cisco.amp.file.parent.identity.sha1 + field: cisco.secure_endpoint.file.parent.identity.sha1 target_field: process.hash.sha1 ignore_missing: true - rename: - field: cisco.amp.file.parent.identity.md5 + field: cisco.secure_endpoint.file.parent.identity.md5 target_field: process.hash.md5 ignore_missing: true - rename: - field: cisco.amp.file.parent.identity.md5 + field: cisco.secure_endpoint.file.parent.identity.md5 target_field: process.hash.md5 ignore_missing: true - rename: - field: cisco.amp.network_info.parent.file_name + field: cisco.secure_endpoint.network_info.parent.file_name target_field: process.name ignore_missing: true - rename: - field: cisco.amp.network_info.parent.identity.sha256 + field: cisco.secure_endpoint.network_info.parent.identity.sha256 target_field: process.hash.sha256 ignore_missing: true - rename: - field: cisco.amp.network_info.parent.identity.sha1 + field: cisco.secure_endpoint.network_info.parent.identity.sha1 target_field: process.hash.sha1 ignore_missing: true - rename: - field: cisco.amp.network_info.parent.identity.md5 + field: cisco.secure_endpoint.network_info.parent.identity.md5 target_field: process.hash.md5 ignore_missing: true @@ -282,18 +282,18 @@ processors: allow_duplicates: false - append: field: related.hash - value: "{{ cisco.amp.network_info.parent.identity.sha256 }}" - if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha256 != null + value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha256 }}" + if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha256 != null allow_duplicates: false - append: field: related.hash - value: "{{ cisco.amp.network_info.parent.identity.md5 }}" - if: ctx?.cisco?.amp?.network_info?.parent?.identity?.md5 != null + value: "{{ cisco.secure_endpoint.network_info.parent.identity.md5 }}" + if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.md5 != null allow_duplicates: false - append: field: related.hash - value: "{{ cisco.amp.network_info.parent.identity.sha1 }}" - if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha1 != null + value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha1 }}" + if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha1 != null allow_duplicates: false - append: field: related.hosts @@ -312,8 +312,8 @@ processors: allow_duplicates: false - append: field: related.ip - value: "{{ cisco.amp.computer.external_ip }}" - if: ctx?.cisco?.amp?.computer?.external_ip != null + value: "{{ cisco.secure_endpoint.computer.external_ip }}" + if: ctx?.cisco?.secure_endpoint?.computer?.external_ip != null allow_duplicates: false - script: lang: painless @@ -324,39 +324,39 @@ processors: if (ctx?.related?.ip == null) { ctx.related.ip = new ArrayList(); } - for (addr in ctx?.cisco?.amp?.computer?.network_addresses) { + for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) { if (addr.ip != null && !addr.ip.isEmpty()) { if (!ctx?.related?.ip.contains(addr.ip)) { ctx?.related?.ip.add(addr.ip); } } } - if: ctx?.cisco?.amp?.computer?.network_addresses != null + if: ctx?.cisco?.secure_endpoint?.computer?.network_addresses != null - script: lang: painless source: | - if (ctx?.cisco?.amp?.related == null) { - ctx.cisco.amp.related = new HashMap(); + if (ctx?.cisco?.secure_endpoint?.related == null) { + ctx.cisco.secure_endpoint.related = new HashMap(); } - if (ctx?.cisco?.amp?.related?.mac == null) { - ctx.cisco.amp.related.mac = new ArrayList(); + if (ctx?.cisco?.secure_endpoint?.related?.mac == null) { + ctx.cisco.secure_endpoint.related.mac = new ArrayList(); } - for (addr in ctx?.cisco?.amp?.computer?.network_addresses) { + for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) { if (addr.mac != null && !addr.mac.isEmpty()) { - if (!ctx?.cisco?.amp?.related?.mac.contains(addr.mac)) { - ctx?.cisco?.amp?.related?.mac.add(addr.mac); + if (!ctx?.cisco?.secure_endpoint?.related?.mac.contains(addr.mac)) { + ctx?.cisco?.secure_endpoint?.related?.mac.add(addr.mac); } } } - if: ctx?.cisco?.amp?.computer?.network_addresses != null + if: ctx?.cisco?.secure_endpoint?.computer?.network_addresses != null - foreach: - field: cisco.amp.vulnerabilities + field: cisco.secure_endpoint.vulnerabilities processor: append: - field: cisco.amp.related.cve + field: cisco.secure_endpoint.related.cve value: "{{ _ingest._value.cve }}" allow_duplicates: false - if: ctx?.cisco?.amp?.vulnerabilities != null + if: ctx?.cisco?.secure_endpoint?.vulnerabilities != null ############# ## GeoIP ## @@ -408,19 +408,19 @@ processors: ## Cleanup ## ############# - date: - field: cisco.amp.threat_hunting.incident_start_time - target_field: cisco.amp.threat_hunting.incident_start_time + field: cisco.secure_endpoint.threat_hunting.incident_start_time + target_field: cisco.secure_endpoint.threat_hunting.incident_start_time formats: - UNIX ignore_failure: true - if: ctx?.cisco?.amp?.threat_hunting?.incident_start_time != null + if: ctx?.cisco?.secure_endpoint?.threat_hunting?.incident_start_time != null - date: - field: cisco.amp.threat_hunting.incident_end_time - target_field: cisco.amp.threat_hunting.incident_end_time + field: cisco.secure_endpoint.threat_hunting.incident_end_time + target_field: cisco.secure_endpoint.threat_hunting.incident_end_time formats: - UNIX ignore_failure: true - if: ctx?.cisco?.amp?.threat_hunting?.incident_end_time != null + if: ctx?.cisco?.secure_endpoint?.threat_hunting?.incident_end_time != null - script: lang: painless description: This script processor iterates over the whole document to remove fields with null values. @@ -453,15 +453,15 @@ processors: ignore_missing: true - remove: field: - - cisco.amp.timestamp - - cisco.amp.computer.links + - cisco.secure_endpoint.timestamp + - cisco.secure_endpoint.computer.links - json - - cisco.amp.severity - - cisco.amp.start_timestamp - - cisco.amp.date - - cisco.amp.timestamp_nanoseconds - - cisco.amp.start_date - - cisco.amp.id + - cisco.secure_endpoint.severity + - cisco.secure_endpoint.start_timestamp + - cisco.secure_endpoint.date + - cisco.secure_endpoint.timestamp_nanoseconds + - cisco.secure_endpoint.start_date + - cisco.secure_endpoint.id ignore_missing: true on_failure: - set: diff --git a/packages/cisco_amp/data_stream/log/fields/agent.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/agent.yml similarity index 100% rename from packages/cisco_amp/data_stream/log/fields/agent.yml rename to packages/cisco_secure_endpoint/data_stream/log/fields/agent.yml diff --git a/packages/cisco_amp/data_stream/log/fields/base-fields.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml similarity index 94% rename from packages/cisco_amp/data_stream/log/fields/base-fields.yml rename to packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml index 51e5fe98f8e..777171a4af1 100644 --- a/packages/cisco_amp/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml @@ -13,11 +13,11 @@ - name: event.module type: constant_keyword description: Event module - value: cisco_amp + value: cisco_secure_endpoint - name: event.dataset type: constant_keyword description: Event dataset - value: cisco_amp.log + value: cisco_secure_endpoint.log - name: container.id description: Unique container id. ignore_above: 1024 diff --git a/packages/cisco_amp/data_stream/log/fields/ecs.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml similarity index 100% rename from packages/cisco_amp/data_stream/log/fields/ecs.yml rename to packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml diff --git a/packages/cisco_amp/data_stream/log/fields/fields.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml similarity index 99% rename from packages/cisco_amp/data_stream/log/fields/fields.yml rename to packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml index e67370745fb..e07fffbd0b5 100644 --- a/packages/cisco_amp/data_stream/log/fields/fields.yml +++ b/packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml @@ -1,9 +1,9 @@ -- name: cisco.amp +- name: cisco.secure_endpoint type: group release: beta default_field: false description: > - Module for parsing Cisco AMP logs. + Module for parsing Cisco Secure Endpoint logs. fields: - name: timestamp_nanoseconds diff --git a/packages/cisco_amp/data_stream/log/manifest.yml b/packages/cisco_secure_endpoint/data_stream/log/manifest.yml similarity index 90% rename from packages/cisco_amp/data_stream/log/manifest.yml rename to packages/cisco_secure_endpoint/data_stream/log/manifest.yml index 7eef1317b6d..65d64108127 100644 --- a/packages/cisco_amp/data_stream/log/manifest.yml +++ b/packages/cisco_secure_endpoint/data_stream/log/manifest.yml @@ -1,4 +1,4 @@ -title: Cisco AMP logs +title: Cisco Secure Endpoint logs release: experimental type: logs streams: @@ -7,14 +7,14 @@ streams: - name: client_id type: text title: Client ID - description: Cisco AMP Client ID + description: Cisco Secure Endpoint Client ID multi: false required: true show_user: true - name: api_key type: password title: API Key - description: Cisco AMP API Key + description: Cisco Secure Endpoint API Key multi: false required: true show_user: true @@ -70,7 +70,7 @@ streams: required: true show_user: true default: - - cisco-amp + - cisco-secure_endpoint - forwarded - name: preserve_original_event required: true @@ -88,5 +88,5 @@ streams: show_user: false description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" template_path: httpjson.yml.hbs - title: Cisco AMP logs - description: Collect Cisco AMP logs via the API + title: Cisco Secure Endpoint logs + description: Collect Cisco Secure Endpoint logs via the API diff --git a/packages/cisco_amp/data_stream/log/sample_event.json b/packages/cisco_secure_endpoint/data_stream/log/sample_event.json similarity index 100% rename from packages/cisco_amp/data_stream/log/sample_event.json rename to packages/cisco_secure_endpoint/data_stream/log/sample_event.json diff --git a/packages/cisco_amp/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md similarity index 68% rename from packages/cisco_amp/docs/README.md rename to packages/cisco_secure_endpoint/docs/README.md index 334ebbae376..fdb900ec77c 100644 --- a/packages/cisco_amp/docs/README.md +++ b/packages/cisco_secure_endpoint/docs/README.md @@ -1,15 +1,15 @@ -# Cisco AMP Integration +# Cisco Secure Endpoint Integration -This integration is for Cisco AMP logs. It includes the following +This integration is for Cisco Secure Endpoint logs. It includes the following datasets for receiving logs over syslog or read from a file: -- `log` dataset: supports Cisco AMP logs. +- `log` dataset: supports Cisco Secure Endpoint logs. ## Logs -### AMP +### Secure Endpoint -The `log` dataset collects Cisco AMP logs. +The `log` dataset collects Cisco Secure Endpoint logs. An example event for `log` looks as following: @@ -96,63 +96,63 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.amp.bp_data | Endpoint isolation information | flattened | -| cisco.amp.cloud_ioc.description | Description of the related IOC for specific IOC events from AMP. | keyword | -| cisco.amp.cloud_ioc.short_description | Short description of the related IOC for specific IOC events from AMP. | keyword | -| cisco.amp.command_line.arguments | The CLI arguments related to the Cloud Threat IOC reported by Cisco. | keyword | -| cisco.amp.computer.active | If the current endpoint is active or not. | boolean | -| cisco.amp.computer.connector_guid | The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. | keyword | -| cisco.amp.computer.external_ip | The external IP of the related host. | ip | -| cisco.amp.computer.network_addresses | All network interface information on the related host. | flattened | -| cisco.amp.connector_guid | The GUID of the connector sending information to AMP. | keyword | -| cisco.amp.detection | The name of the malware detected. | keyword | -| cisco.amp.detection_id | The ID of the detection. | keyword | -| cisco.amp.error.description | Description of an endpoint error event. | keyword | -| cisco.amp.error.error_code | The error code describing the related error event. | long | -| cisco.amp.event_type_id | A sub ID of the event, depending on event type. | long | -| cisco.amp.file.archived_file.disposition | Categorization of a file archive related to a file, for example "Malicious" or "Clean". | keyword | -| cisco.amp.file.archived_file.identity.md5 | MD5 hash of the archived file related to the malicious event. | keyword | -| cisco.amp.file.archived_file.identity.sha1 | SHA1 hash of the archived file related to the malicious event. | keyword | -| cisco.amp.file.archived_file.identity.sha256 | SHA256 hash of the archived file related to the malicious event. | keyword | -| cisco.amp.file.attack_details.application | The application name related to Exploit Prevention events. | keyword | -| cisco.amp.file.attack_details.attacked_module | Path to the executable or dll that was attacked and detected by Exploit Prevention. | keyword | -| cisco.amp.file.attack_details.base_address | The base memory address related to the exploit detected. | keyword | -| cisco.amp.file.attack_details.indicators | Different indicator types that matches the exploit detected, for example different MITRE tactics. | flattened | -| cisco.amp.file.attack_details.suspicious_files | An array of related files when an attack is detected by Exploit Prevention. | keyword | -| cisco.amp.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword | -| cisco.amp.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword | -| cisco.amp.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword | -| cisco.amp.mitre_tactics | Array of all related mitre tactic ID's | keyword | -| cisco.amp.mitre_techniques | Array of all related mitre technique ID's | keyword | -| cisco.amp.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword | -| cisco.amp.network_info.nfm.direction | The current direction based on source and destination IP. | keyword | -| cisco.amp.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword | -| cisco.amp.network_info.parent.identify.sha256 | SHA256 hash of the related IOC. | keyword | -| cisco.amp.network_info.parent.identity.md5 | MD5 hash of the related IOC. | keyword | -| cisco.amp.network_info.parent.identity.sha1 | SHA1 hash of the related IOC. | keyword | -| cisco.amp.related.cve | An array of all related CVEs | keyword | -| cisco.amp.related.mac | An array of all related MAC addresses. | keyword | -| cisco.amp.scan.clean | Boolean value if a scanned file was clean or not. | boolean | -| cisco.amp.scan.description | Description of an event related to a scan being initiated, for example the specific directory name. | keyword | -| cisco.amp.scan.malicious_detections | Count of malicious files or documents detected related to a single scan event. | long | -| cisco.amp.scan.scanned_files | Count of files scanned in a directory. | long | -| cisco.amp.scan.scanned_paths | Count of different directories scanned related to a single scan event. | long | -| cisco.amp.scan.scanned_processes | Count of processes scanned related to a single scan event. | long | -| cisco.amp.tactics | List of all MITRE tactics related to the incident found. | flattened | -| cisco.amp.techniques | List of all MITRE techniques related to the incident found. | flattened | -| cisco.amp.threat_hunting.incident_end_time | When the threat hunt finalized or closed. | date | -| cisco.amp.threat_hunting.incident_hunt_guid | The GUID of the related investigation tracking issue. | keyword | -| cisco.amp.threat_hunting.incident_id | The id of the related incident for the threat hunting activity. | long | -| cisco.amp.threat_hunting.incident_remediation | Recommendations to resolve the vulnerability or exploited host. | keyword | -| cisco.amp.threat_hunting.incident_report_guid | The GUID of the related threat hunting report. | keyword | -| cisco.amp.threat_hunting.incident_start_time | When the threat hunt was initiated. | date | -| cisco.amp.threat_hunting.incident_summary | Summary of the outcome on the threat hunting activity. | keyword | -| cisco.amp.threat_hunting.incident_title | Title of the incident related to the threat hunting activity. | keyword | -| cisco.amp.threat_hunting.severity | Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. | keyword | -| cisco.amp.threat_hunting.tactics | List of all MITRE tactics related to the incident found. | flattened | -| cisco.amp.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened | -| cisco.amp.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date | -| cisco.amp.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened | +| cisco.secure_endpoint.bp_data | Endpoint isolation information | flattened | +| cisco.secure_endpoint.cloud_ioc.description | Description of the related IOC for specific IOC events from AMP. | keyword | +| cisco.secure_endpoint.cloud_ioc.short_description | Short description of the related IOC for specific IOC events from AMP. | keyword | +| cisco.secure_endpoint.command_line.arguments | The CLI arguments related to the Cloud Threat IOC reported by Cisco. | keyword | +| cisco.secure_endpoint.computer.active | If the current endpoint is active or not. | boolean | +| cisco.secure_endpoint.computer.connector_guid | The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. | keyword | +| cisco.secure_endpoint.computer.external_ip | The external IP of the related host. | ip | +| cisco.secure_endpoint.computer.network_addresses | All network interface information on the related host. | flattened | +| cisco.secure_endpoint.connector_guid | The GUID of the connector sending information to AMP. | keyword | +| cisco.secure_endpoint.detection | The name of the malware detected. | keyword | +| cisco.secure_endpoint.detection_id | The ID of the detection. | keyword | +| cisco.secure_endpoint.error.description | Description of an endpoint error event. | keyword | +| cisco.secure_endpoint.error.error_code | The error code describing the related error event. | long | +| cisco.secure_endpoint.event_type_id | A sub ID of the event, depending on event type. | long | +| cisco.secure_endpoint.file.archived_file.disposition | Categorization of a file archive related to a file, for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.file.archived_file.identity.md5 | MD5 hash of the archived file related to the malicious event. | keyword | +| cisco.secure_endpoint.file.archived_file.identity.sha1 | SHA1 hash of the archived file related to the malicious event. | keyword | +| cisco.secure_endpoint.file.archived_file.identity.sha256 | SHA256 hash of the archived file related to the malicious event. | keyword | +| cisco.secure_endpoint.file.attack_details.application | The application name related to Exploit Prevention events. | keyword | +| cisco.secure_endpoint.file.attack_details.attacked_module | Path to the executable or dll that was attacked and detected by Exploit Prevention. | keyword | +| cisco.secure_endpoint.file.attack_details.base_address | The base memory address related to the exploit detected. | keyword | +| cisco.secure_endpoint.file.attack_details.indicators | Different indicator types that matches the exploit detected, for example different MITRE tactics. | flattened | +| cisco.secure_endpoint.file.attack_details.suspicious_files | An array of related files when an attack is detected by Exploit Prevention. | keyword | +| cisco.secure_endpoint.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword | +| cisco.secure_endpoint.mitre_tactics | Array of all related mitre tactic ID's | keyword | +| cisco.secure_endpoint.mitre_techniques | Array of all related mitre technique ID's | keyword | +| cisco.secure_endpoint.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.network_info.nfm.direction | The current direction based on source and destination IP. | keyword | +| cisco.secure_endpoint.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.network_info.parent.identify.sha256 | SHA256 hash of the related IOC. | keyword | +| cisco.secure_endpoint.network_info.parent.identity.md5 | MD5 hash of the related IOC. | keyword | +| cisco.secure_endpoint.network_info.parent.identity.sha1 | SHA1 hash of the related IOC. | keyword | +| cisco.secure_endpoint.related.cve | An array of all related CVEs | keyword | +| cisco.secure_endpoint.related.mac | An array of all related MAC addresses. | keyword | +| cisco.secure_endpoint.scan.clean | Boolean value if a scanned file was clean or not. | boolean | +| cisco.secure_endpoint.scan.description | Description of an event related to a scan being initiated, for example the specific directory name. | keyword | +| cisco.secure_endpoint.scan.malicious_detections | Count of malicious files or documents detected related to a single scan event. | long | +| cisco.secure_endpoint.scan.scanned_files | Count of files scanned in a directory. | long | +| cisco.secure_endpoint.scan.scanned_paths | Count of different directories scanned related to a single scan event. | long | +| cisco.secure_endpoint.scan.scanned_processes | Count of processes scanned related to a single scan event. | long | +| cisco.secure_endpoint.tactics | List of all MITRE tactics related to the incident found. | flattened | +| cisco.secure_endpoint.techniques | List of all MITRE techniques related to the incident found. | flattened | +| cisco.secure_endpoint.threat_hunting.incident_end_time | When the threat hunt finalized or closed. | date | +| cisco.secure_endpoint.threat_hunting.incident_hunt_guid | The GUID of the related investigation tracking issue. | keyword | +| cisco.secure_endpoint.threat_hunting.incident_id | The id of the related incident for the threat hunting activity. | long | +| cisco.secure_endpoint.threat_hunting.incident_remediation | Recommendations to resolve the vulnerability or exploited host. | keyword | +| cisco.secure_endpoint.threat_hunting.incident_report_guid | The GUID of the related threat hunting report. | keyword | +| cisco.secure_endpoint.threat_hunting.incident_start_time | When the threat hunt was initiated. | date | +| cisco.secure_endpoint.threat_hunting.incident_summary | Summary of the outcome on the threat hunting activity. | keyword | +| cisco.secure_endpoint.threat_hunting.incident_title | Title of the incident related to the threat hunting activity. | keyword | +| cisco.secure_endpoint.threat_hunting.severity | Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. | keyword | +| cisco.secure_endpoint.threat_hunting.tactics | List of all MITRE tactics related to the incident found. | flattened | +| cisco.secure_endpoint.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened | +| cisco.secure_endpoint.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date | +| cisco.secure_endpoint.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | diff --git a/packages/cisco_amp/img/cisco.svg b/packages/cisco_secure_endpoint/img/cisco.svg similarity index 100% rename from packages/cisco_amp/img/cisco.svg rename to packages/cisco_secure_endpoint/img/cisco.svg diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml new file mode 100644 index 00000000000..cdab58847ef --- /dev/null +++ b/packages/cisco_secure_endpoint/manifest.yml @@ -0,0 +1,28 @@ +format_version: 1.0.0 +name: cisco_secure_endpoint +title: Cisco Secure Endpoint (AMP) +version: 0.1.0 +license: basic +description: This Elastic integration collects logs from Cisco Secure Endpoint (formerly Cisco AMP) +type: integration +categories: + - network + - security +release: beta +conditions: + kibana.version: "^7.16.0" +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_secure_endpoint + title: Cisco Secure Endpoint logs + description: Collect logs from Cisco Secure Endpoint + inputs: + - type: httpjson + title: Collect logs from the Cisco Secure Endpoint API + description: Collecting logs from the Cisco Secure Endpoint API +owner: + github: elastic/security-external-integrations