Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[crowdstrike] Format source.mac per ECS in FDR #3302

Merged
merged 8 commits into from
May 10, 2022
Merged

[crowdstrike] Format source.mac per ECS in FDR #3302

merged 8 commits into from
May 10, 2022

Conversation

andrewkroh
Copy link
Member

What does this PR do?

Format the source.mac field as per ECS (https://www.elastic.co/guide/en/ecs/current/ecs-observer.html#field-observer-mac).

The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

Also cleanup field mappings:

  • fdr: Use ECS process.end, source.geo.location, destination.geo.location.
  • falcon: Use ECS log.file.path.
  • falcon: Remove duplicated field definitions.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

@andrewkroh
Update changelog
3a1b48b 
[git-generate]
elastic-package-changelog add-next --pr 3302 --type bug --description "Format source.mac as per ECS."
@andrewkroh andrewkroh marked this pull request as ready for review May 9, 2022 17:19
@andrewkroh andrewkroh requested a review from a team as a code owner May 9, 2022 17:19
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented May 9, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-05-09T17:17:37.508+0000

  • Duration: 15 min 31 sec

Test stats 🧪

Test Results
Failed 0
Passed 13
Skipped 0
Total 13

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (2/2) 💚
Files 100.0% (9/9) 💚 3.606
Classes 100.0% (9/9) 💚 3.606
Methods 100.0% (53/53) 💚 11.752
Lines 91.343% (1435/1571) 👍 2.358
Conditionals 100.0% (0/0) 💚

@andrewkroh andrewkroh merged commit 46fe600 into elastic:main May 10, 2022
This was referenced May 22, 2022
Merged
Closed
Merged
@andrewkroh andrewkroh mentioned this pull request Jun 9, 2022
Merged
andrewkroh added a commit that referenced this pull request Jun 28, 2022
@andrewkroh
[security-external-integrations packages] Update to ECS 8.3 (#3353)
1bcd21c 
This updates the ECS version used in all non-deprecated packages owned by elastic/security-external-integrations.

These packages required fixes in order to comply with the `pattern` added to ECS to validate MAC addresses.

- cef - #3566
- crowdstrike - #3302
- cylance.protect - #3368
- fortinet.fortimanager - #3401
- iptables.log - #3358
- microsoft_dhcp - #3300
- pfsense - #3303
- snort - #3301
- sonicwall.firewall - #3360
- sophos.utm - #3370

NOTE: The following packages were not updated for 8.2.0. I didn't catch anything in 8.1 or 8.2 that needed changed.

 - auth0 - 1.12.0
 - carbon_black_cloud - 8.0.0
 - cisco_ise - 8.0.0
 - cisco_meraki - 8.0.0
 - hid_bravura_monitor - 1.12.0
 - modsecurity - 1.12.0
 - mysql_enterprise - 8.0.0
 - netskope - 8.0.0
 - oracle - 8.0.0
 - symantec_endpoint - 1.12.0
 - ti_recordedfuture - 8.0

[git-generate]
go run github.com/andrewkroh/go-examples/ecs-update@6efa1ecb3871 \
  --ecs-version=8.3.0 \
  -ecs-git-ref=v8.3.0 \
  --pr=3353 \
  --owner=elastic/security-external-integrations \
  packages/*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r00tu53r r00tu53r r00tu53r approved these changes

Assignees
No one assigned
Labels
Integration:crowdstrike CrowdStrike
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @elasticmachine @r00tu53r