-
Notifications
You must be signed in to change notification settings - Fork 455
[crowdstrike,m365_defender,microsoft_defender_endpoint,trend_micro_vision_one] map source-specific fields to process.* ECS fields #13984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[crowdstrike,m365_defender,microsoft_defender_endpoint,trend_micro_vision_one] map source-specific fields to process.* ECS fields #13984
Conversation
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
…add_ecs_for_data_analyzer Conflicts: packages/crowdstrike/changelog.yml packages/crowdstrike/data_stream/alert/sample_event.json packages/crowdstrike/data_stream/falcon/sample_event.json packages/crowdstrike/docs/README.md packages/m365_defender/changelog.yml packages/m365_defender/data_stream/alert/sample_event.json packages/m365_defender/data_stream/incident/sample_event.json packages/m365_defender/docs/README.md packages/microsoft_defender_endpoint/changelog.yml packages/microsoft_defender_endpoint/data_stream/log/sample_event.json packages/microsoft_defender_endpoint/docs/README.md
🚀 Benchmarks reportTo see the full report comment with |
packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
- convert: | ||
field: process.pid | ||
tag: convert_process_pid_to_string | ||
target_field: process.entity_id | ||
type: string | ||
ignore_missing: true | ||
- convert: | ||
field: process.parent.pid | ||
tag: convert_process_parent_pid_to_string | ||
target_field: process.parent.entity_id | ||
type: string | ||
ignore_missing: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leave as numbers and note numeric keyword in the test definition.
- convert: | ||
field: process.pid | ||
tag: convert_process_pid_to_string | ||
target_field: process.entity_id | ||
type: string | ||
ignore_missing: true | ||
- convert: | ||
field: process.parent.pid | ||
tag: convert_process_parent_pid_to_string | ||
target_field: process.parent.entity_id | ||
type: string | ||
ignore_missing: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leave as numbers.
@@ -2237,6 +2237,46 @@ processors: | |||
if (!processParentPid.isEmpty()) { | |||
ctx.process.parent.pid = convertToOrderedArray(processParentPid); | |||
} | |||
- foreach: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leave as numbers.
- convert: | ||
field: process.pid | ||
tag: convert_process_pid_to_string | ||
target_field: process.entity_id | ||
type: string | ||
ignore_missing: true | ||
- convert: | ||
field: process.parent.pid | ||
tag: convert_process_parent_pid_to_string | ||
target_field: process.parent.entity_id | ||
type: string | ||
ignore_missing: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leave as numbers.
@@ -295,6 +295,11 @@ processors: | |||
field: process.pid | |||
copy_from: trend_micro_vision_one.detection.process.pid | |||
ignore_failure: true | |||
- convert: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leave as a number.
|
💚 Build Succeeded
History
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest commit message body:
* crowdstrike: add process.entity_id and process.parent.entity_id ECS
mappings in alert and falcon data streams.
* m365_defender: add process.entity_id and process.parent.entity_id ECS
mappings in all data streams.
* microsoft_defender_endpoint: add process.entity_id and
process.parent.entity_id ECS mappings in log data stream.
* trend_micro_vision_one: add process.entity_id ECS mapping in detection
data stream.
These mappings align the data streams with ECS standards and ensure
consistency across ingested data, supporting reliable analyzer
development.
Package crowdstrike - 1.71.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/1.71.0/ |
Package m365_defender - 3.6.0 containing this change is available at https://epr.elastic.co/package/m365_defender/3.6.0/ |
Package microsoft_defender_endpoint - 2.36.0 containing this change is available at https://epr.elastic.co/package/microsoft_defender_endpoint/2.36.0/ |
Package trend_micro_vision_one - 2.1.0 containing this change is available at https://epr.elastic.co/package/trend_micro_vision_one/2.1.0/ |
Proposed Commit Message
Checklist
changelog.yml
file.How to test this PR locally
To test integration
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/<integration_name> directory.
Run the following command to run tests.
elastic-package test -v
NOTE: To test individual integrations, replace <integration_name> with one of the following: crowdstrike, m365_defender, microsoft_defender_endpoint, or trend_micro_vision_one.
Related issues