Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cisco Secure Endpoint] Parse additional fields to ECS #5352

Closed
MakoWish opened this issue Feb 22, 2023 · 5 comments · Fixed by #6258
Closed

[Cisco Secure Endpoint] Parse additional fields to ECS #5352

MakoWish opened this issue Feb 22, 2023 · 5 comments · Fixed by #6258
Labels
Integration:cisco_secure_endpoint Cisco Secure Endpoint

Comments

@MakoWish
Copy link
Contributor

MakoWish commented Feb 22, 2023
edited
Loading

There are additional fields in the Cisco Secure Endpoint events that can be parsed into ECS fields. Some examples are:

  • cisco.secure_endpoint.computer.network_addresses --> host.ip and host.mac
  • cisco.secure_endpoint.computer.connector_guid --> host.id
  • cisco.secure_endpoint.error.description --> error.message
  • cisco.secure_endpoint.error.error_code --> error.code
  • cisco.secure_endpoint.group_guids --> group.id

Thank you,
Eric
@MakoWish
Copy link
Contributor Author

MakoWish commented Feb 22, 2023
edited
Loading

pinging @elasticmachine

@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds added the Integration:cisco_secure_endpoint Cisco Secure Endpoint label Feb 23, 2023
@MakoWish MakoWish changed the title Incorrect Parsing of Cisco Secure Endpoint Events to ECS [Cisco Secure Endpoint] host.ip and host.mac fields are not being parsed out of the messages May 18, 2023
@MakoWish MakoWish mentioned this issue May 18, 2023
Merged
13 tasks
@MakoWish MakoWish changed the title [Cisco Secure Endpoint] host.ip and host.mac fields are not being parsed out of the messages [Cisco Secure Endpoint] Parse additional fields to ECS May 18, 2023
@LaZyDK
Copy link
Contributor

LaZyDK commented May 30, 2023

@MakoWish do you need anything for this to be ready for review? We would like it in production, and it looks great :)

@MakoWish
Copy link
Contributor Author

Hi @LaZyDK ,

I am having an issue with setting the error.message field, so I decided to just leave that out for now. I had to resolve some conflicts with another recent merge, but I marked the PR as ready for review.

@LaZyDK
Copy link
Contributor

LaZyDK commented Jun 1, 2023

I just created another pull request for this integration for cleaner data #6419.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Integration:cisco_secure_endpoint Cisco Secure Endpoint
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Cisco Secure Endpoint] Parse additional fields to ECS MakoWish/integrations
4 participants
@LaZyDK @elasticmachine @MakoWish @jamiehynds