-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[cisco_meraki] Replace rsa2elk pipeline and add webhook input #2897
Conversation
…r webhook system tests
Anonymise test data
Comment and rearrange events pipeline
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Thanks @andrewkroh for all the comments. I have made the changes. |
pattern: "%{} ip_flow_end %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi_or_tdi}=%{&tsi_or_tdi} %{*tp}=%{&tp}" | ||
if: ctx._temp.event_type == 'ip_flow_end' && ctx._temp.token.startsWith("src=") == true | ||
# source field IP:port handling | ||
- set: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you switch these over to converts.
# fields common to more than one event type | ||
- dissect: | ||
field: src | ||
pattern: "%{source.ip}:%{sport}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a convert to validate the source/destination ip.
Do these logs also contain IPv6 addresses? I doubt this dissect works in that case. Unless you know the exact format or that it does not need to handle ipv6 addresses, then you might need a generic parser that handles most formats like https://github.com/elastic/integrations/blob/main/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml#L50-L60.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the logs I have received and the docs only used IPv4. But I suppose nothing stops someone from using IPv6. I have added IP v4+v6 handling and converts across all pipelines where applicable. Thanks!
pattern_definitions: | ||
IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there is no port associated with the IPv6, this pattern is not required (see #3117 (comment)).
Apologies if I'm jumping the gun in terms of planned improvements but I pulled all the expected json docs into a cluster and have some comments:
|
What does this PR do?
The PR
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
There are pipeline and system tests available for both the data streams.
Run pipeline tests -
elastic-package test pipeline -v
Run system tests -
elastic-package test system -v
Related issues
Screenshots