[Filebeat] Add to Zeek Module #13683
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
|
Pinging @elastic/siem |
|
jenkins, test this |
|
@Xander33 Some files are not up-to-date. Can you run 'mage fmt update' on beats/x-pack/filebeat and beats/filebeat directory, then review and commit the changes again? |
|
@Xander33: Thanks for the contribution. From a brief glance, it looks good. We will do a more detailed review. BTW, is it possible for you to add the *.log-expected.json for the test files? |
|
It seems that you don't have time to work on this PR anymore. Are you OK with us opening a new PR with your commits? Your commits will be kept so you are still credited for it. Thanks. |
|
So, this is moving forward? Good, smb logs are important for lateral movement detection |
|
@alakahakai Yes my time has been limited lately. Go ahead and do what you need to do |
|
@Xander33, I'm not on the engineering team, but as someone at Elastic who focuses on our security analytics offerings and community, thank you for your work on this proposed enhancement. |
andrewkroh
added
needs_backport
In elastic#13683, a `signatures` fileset is enabled, but it did not exist. This removes it from the module.d/zeek.yml config file so that the module can start. In elastic#12812 there was a signatures fileset but that PR never merged. Perhaps the fileset from that closed PR can be brought into master. Relates: #18868
In #13683, a `signatures` fileset is enabled, but it did not exist. This removes it from the module.d/zeek.yml config file so that the module can start. In #12812 there was a signatures fileset but that PR never merged. Perhaps the fileset from that closed PR can be brought into master. Relates: #18868
Add 30+ filesets to Filebeat Zeek module. Thanks to @Xander33 for the original PR elastic#13683.
) In elastic#13683, a `signatures` fileset is enabled, but it did not exist. This removes it from the module.d/zeek.yml config file so that the module can start. In elastic#12812 there was a signatures fileset but that PR never merged. Perhaps the fileset from that closed PR can be brought into master. Relates: #18868 (cherry picked from commit 229aee0)
) In elastic#13683, a `signatures` fileset is enabled, but it did not exist. This removes it from the module.d/zeek.yml config file so that the module can start. In elastic#12812 there was a signatures fileset but that PR never merged. Perhaps the fileset from that closed PR can be brought into master. Relates: #18868 (cherry picked from commit 229aee0)
…19041) In #13683, a `signatures` fileset is enabled, but it did not exist. This removes it from the module.d/zeek.yml config file so that the module can start. In #12812 there was a signatures fileset but that PR never merged. Perhaps the fileset from that closed PR can be brought into master. Relates: #18868 (cherry picked from commit 229aee0)
…19042) In #13683, a `signatures` fileset is enabled, but it did not exist. This removes it from the module.d/zeek.yml config file so that the module can start. In #12812 there was a signatures fileset but that PR never merged. Perhaps the fileset from that closed PR can be brought into master. Relates: #18868 (cherry picked from commit 229aee0)
) In elastic#13683, a `signatures` fileset is enabled, but it did not exist. This removes it from the module.d/zeek.yml config file so that the module can start. In elastic#12812 there was a signatures fileset but that PR never merged. Perhaps the fileset from that closed PR can be brought into master. Relates: #18868
_meta/fields.ymlto{fileset}/_meta/fields.ymlrelated issues: #12724 #11944