[Meta] 7.14 Planned changes to all packages #994

P1llus · 2021-05-17T10:02:53Z

This issue is an overview of planned changes that affect all or most packages to prepare them for GA.

List of tasks:

Update ECS version to 1.10
Each package should have an updated ECS version, even if no changes is needed for the specific package, the new fields added in 1.10 is:
New fields:
Datastream: https://github.com/elastic/ecs/blob/master/rfcs/text/0009-data_stream-fields.md
Beta fields:
Orchestrator: https://github.com/elastic/ecs/blob/master/rfcs/text/0012-orchestrator-field-set.md
Experimental:
Threat fields: https://github.com/elastic/ecs/blob/master/rfcs/text/0018-extend-threat-group-software.md
Make sure the package is synced with any changes done to its related module
There might still be changes, hotfixes or enhancements added to modules which is not synced over.
Make sure all packages have pipeline test files.
Currently not all packages have pipeline test files, this should be added to make sure it has more feature parity with how CI tests are done for pipelines in the beats repo.
Remove any edge processing that might still exist.
All edge processing is removed from the security-integrations packges already, but there might be some smaller processors left to convert.
Implementation of "Preserve Raw Event" option for all packages.
All packages should follow the principles discussed in an earlier issue: event.original optionality across all packages #777 (comment)
Each package will have the following changes:

Move the original data from its source field (default is the message field), to event.original.
All ingest pipeline processors handling values stored in the message field, will instead handle the event.original field. This simplifies reindexing of data by a lot,
Preserve raw event defaults to off.
Overwrite any existing setting if some packages might already handle event.original, with on/off by default.
A menu option is added to preserve raw events for each package:

    vars:
      - name: preserve_original_event
        required: true
        show_user: true
        title: Preserve original event
        description: Preserves a raw copy of the original event, added to the field event.original
        type: bool
        multi: false
        default: false

Which looks like this:

The text was updated successfully, but these errors were encountered:

elasticmachine · 2021-05-17T10:02:54Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

P1llus · 2021-05-17T10:08:03Z

As discussed @masci these are the changes we would like to perform, in which we could always track cross-team.

P1llus · 2021-05-17T10:17:18Z

Packages to track:

apache
PR: #1068

auditd
PR: #1031

aws
PR: #1070

azure
PR: #1113
PR to sync changes: #1121

barracuda
PR: #1042

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (need to keep decode_cef processor)
Implement Preserve Raw Event

bluecoat
PR: #1072

cef
PR: #1032

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (need to keep decode_cef processor)
Implement Preserve Raw Event

checkpoint
PR: #1033

cisco
PR: #1035

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (with the exception of RSA filesets)
Implement Preserve Raw Event

crowdstrike
PR: #1036

cyberark
PR: #1037

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (did not remove RSA parser components)
Implement Preserve Raw Event

cyberarkpas
PR: #1039

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (did not remove RSA parser components)
Implement Preserve Raw Event

cylance
PR: #1040

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (did not remove RSA parser components)
Implement Preserve Raw Event

docker

f5
PR: #1041

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (did not remove RSA parser components)
Implement Preserve Raw Event

fortinet
PR: #1092

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (did not remove RSA parser components)
Implement Preserve Raw Event

gcp
PR: #1045

google_workspace
PR: #1046

haproxy
PR: #1048

iis
PR: #1054

imperva
PR: #1055

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (did not remove RSA parser components)
Implement Preserve Raw Event

infoblox
PR: #1056

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (did not remove RSA parser components)
Implement Preserve Raw Event

iptables
PR: #1057

juniper
PR: #1058

Update ECS.
Sync package if any module changes.
Add pipeline test files
Remove edge processing (did not remove RSA parser components)
Implement Preserve Raw Event

kafka
PR: #1116

kubernetes

linux

microsoft
PR: #1059

mongodb
PR: #1060

mysql

nats
PR: #1061

netflow
PR: #1062

netscout
PR: #1063

nginx
PR: #1065

nginx_ingress_controller
PR: #1066

o365
PR: #1117

okta
PR: #1067

panw
PR: #1093

postgresql
PR: #1095

proofpoint
PR: #1096

rabbitmq
PR: #1097

radware
PR: #1098

redis
PR: #1099

santa
PR: #1100

sonicwall
PR: #1101

sophos
#1102

squid
#1103

stan
PR: #1104

suricata
PR: #1105

system

tomcat
PR: #1106

traefik
PR: #1107

windows

zeek
PR: #1109

zoom

zscaler
PR: #1112

epixa · 2021-08-17T18:14:38Z

I'm going to close this since 7.14 is out. Feel free to reopen/rename if there's still something to track here.

P1llus added enhancement New feature or request integration Label used for meta issues tracking each integration Team:Security-External Integrations meta Theme: just_ingest_it 7.14 candidate labels May 17, 2021

P1llus self-assigned this May 17, 2021

weltenwort mentioned this issue Jun 3, 2021

[Logs UI] Add event.original fallback to message reconstruction rules elastic/kibana#101307

Closed

This was referenced Jun 7, 2021

[Fortinet] updating fortinet ecs version and adding event.original options #1092

Merged

[Panw] update panw ECS version and adding event.original options #1093

Merged

legoguy1000 mentioned this issue Jun 7, 2021

[IPtables] Sync IPtables package with Filebeat module #1094

Merged

4 tasks

epixa closed this as completed Aug 17, 2021

ruflin mentioned this issue Nov 29, 2022

[Discuss] Usage of event.original #4733

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Meta] 7.14 Planned changes to all packages #994

[Meta] 7.14 Planned changes to all packages #994

P1llus commented May 17, 2021 •

edited

Loading

elasticmachine commented May 17, 2021

P1llus commented May 17, 2021

P1llus commented May 17, 2021 •

edited

Loading

epixa commented Aug 17, 2021

[Meta] 7.14 Planned changes to all packages #994

[Meta] 7.14 Planned changes to all packages #994

Comments

P1llus commented May 17, 2021 • edited Loading

elasticmachine commented May 17, 2021

P1llus commented May 17, 2021

P1llus commented May 17, 2021 • edited Loading

epixa commented Aug 17, 2021

P1llus commented May 17, 2021 •

edited

Loading

P1llus commented May 17, 2021 •

edited

Loading