[azure,o365,microsoft_defender_endpoint,m365_defender] Standardize ECS in Microsoft Integrations #13931
Conversation
…standarize_names_in_microsoft_integrations Conflicts: packages/o365/changelog.yml
mohitjha-elastic
added
enhancement
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
mohitjha-elastic
changed the title
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
log |
3508.77 | 1398.6 | -2110.17 (-60.14%) | 💔 |
machine |
2336.45 | 1438.85 | -897.6 (-38.42%) | 💔 |
machine_action |
7042.25 | 5882.35 | -1159.9 (-16.47%) | 💔 |
To see the full report comment with /test benchmark fullreport
There was a problem hiding this comment.
Suggest commit message:
azure,microsoft_defender_endpoint,o365: map source-specific fields to ECS fields
* azure: *.properties.service_principal_id and *.properties.c_device_id to
service.id and device.id respectively
* microsoft_defender_endpoint: microsoft_defender_endpoint.machine.aad_device_id
to device.id
* o365: o365.audit.AppAccessContext.DeviceId to device.id
packages/azure/changelog.yml
Outdated
| @@ -1,3 +1,8 @@ | |||
| - version: "1.24.0" | |||
| changes: | |||
| - description: Map `service.id` and `device.id` ECS fields to the `*.properties.service_principal_id` and `*.properties.c_device_id` fields, respectively. | |||
There was a problem hiding this comment.
Looks like there are more fields defined in the requirement: #13369 (comment) for o365 and azure integrations such as user.*, application.*, session.*.
There was a problem hiding this comment.
We have only picked up the data streams and integrations that are owned by the security team. One such example is graphactivity data stream (from Azure). During this process, we attempted to map all relevant fields to the ECS schema. However, fields such as application.* and session.* are not part of the current ECS schema and therefore could not be mapped.
There was a problem hiding this comment.
I think the ask was to manually define these fields (if not present in ECS). Example. Also if you don't have sample data to populate these fields inside tests, please request them in the issue so they can DM you.
...es/microsoft_defender_endpoint/data_stream/machine/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
Update changelog descriptions as per suggestions.
…standarize_names_in_microsoft_integrations Conflicts: packages/azure/changelog.yml packages/azure/manifest.yml
|
There is a confused GH user out there somewhere; my handle is not capitalised. |
Set service.id, device.id, user.id, session.id and token.id in graphactivitylogs dataset in azure. Set device.id ECS in all the dataset and application.name in event dataset in m365_defender. Set application.name, device.id, session.id, and token.id in audit dataset in o365.
…standarize_names_in_microsoft_integrations Conflicts: packages/m365_defender/changelog.yml packages/m365_defender/data_stream/alert/sample_event.json packages/m365_defender/data_stream/incident/sample_event.json packages/m365_defender/docs/README.md packages/microsoft_defender_endpoint/changelog.yml packages/microsoft_defender_endpoint/data_stream/machine/sample_event.json packages/microsoft_defender_endpoint/docs/README.md
…standarize_names_in_microsoft_integrations Conflicts: packages/o365/changelog.yml packages/o365/manifest.yml
mohitjha-elastic
changed the title
There was a problem hiding this comment.
Since we already have base-fields.yml this name might be confusing.
Can you rename the file to ecs-extended.yml and we can understand slightly better as there are RFCs in ECS adding them in the future.
Similarly for other data streams.
…standarize_names_in_microsoft_integrations Conflicts: packages/m365_defender/changelog.yml packages/m365_defender/data_stream/alert/sample_event.json packages/m365_defender/data_stream/incident/sample_event.json packages/m365_defender/docs/README.md packages/microsoft_defender_endpoint/changelog.yml packages/microsoft_defender_endpoint/data_stream/log/sample_event.json packages/microsoft_defender_endpoint/docs/README.md
Add description for the fields. Update standard-fields file name to extended-ecs
mohitjha-elastic
changed the title
💚 Build Succeeded
History
|
|
|
Package azure - 1.24.0 containing this change is available at https://epr.elastic.co/package/azure/1.24.0/ |
|
Package m365_defender - 3.7.0 containing this change is available at https://epr.elastic.co/package/m365_defender/3.7.0/ |
|
Package microsoft_defender_endpoint - 2.37.0 containing this change is available at https://epr.elastic.co/package/microsoft_defender_endpoint/2.37.0/ |
|
Package o365 - 2.17.0 containing this change is available at https://epr.elastic.co/package/o365/2.17.0/ |
Proposed Commit Message
Checklist
changelog.ymlfile.How to test this PR locally
To test azure integration
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/azure directory.
Run the following command to run tests.
elastic-package test -vTo test m365_defender integration
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/m365_defender directory.
Run the following command to run tests.
elastic-package test -vTo test microsoft_defender_endpoint integration
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/microsoft_defender_endpoint directory.
Run the following command to run tests.
elastic-package test -vTo test o365 integration
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/o365 directory.
Run the following command to run tests.
elastic-package test -vRelated issues