Skip to content

Commit

Permalink
[Filebeat] Improve ECS categorization field mappings in osquery module (
Browse files Browse the repository at this point in the history 
elastic#17881)

* Improve ECS categorization field mappings in osquery module

- event.action
- event.kind
- event.type
- file.accessed
- file.created
- file.directory
- file.gid
- file.inode
- file.mode
- file.mtime
- file.name
- file.path
- file.size
- file.type
- file.uid
- host.hostname
- host.id
- process.name
- related.user
- rule.name
- url.full
- user.name

Closes elastic#16176

* Fix misspelling of username & set ECS version
  • Loading branch information
@leehinman
leehinman authored May 5, 2020
1 parent d59b149 commit 282b084
Show file tree
Hide file tree
Showing 7 changed files with 2,046 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065]
- When using the `json.*` setting available on some inputs, decoded fields are now deep-merged into existing event. {pull}17958[17958]
- Change the `json.*` input settings implementation to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958]
- Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881]

*Heartbeat*

Expand Down
5 changes: 5 additions & 0 deletions filebeat/module/osquery/result/config/result.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,8 @@ paths:
exclude_files: [".gz$"]
json.overwrite_keys: true
json.add_error_key: true
processors:
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
158 changes: 158 additions & 0 deletions filebeat/module/osquery/result/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,164 @@
"target_field": "osquery.result.calendar_time",
"ignore_missing": true
}
},
{
"set": {
"field": "event.kind",
"value": "event"
}
},
{
"set": {
"field": "event.type",
"value": "info"
}
},
{
"set": {
"field": "event.action",
"value": "{{osquery.result.action}}",
"if": "ctx?.osquery?.result?.action != null"
}
},
{
"date": {
"field": "osquery.result.columns.atime",
"target_field": "file.accessed",
"formats": ["UNIX"],
"ignore_failure": true,
"if": "ctx?.osquery?.result?.columns?.atime != null"
}
},
{
"date": {
"field": "osquery.result.columns.ctime",
"target_field": "file.created",
"formats": ["UNIX"],
"ignore_failure": true,
"if": "ctx?.osquery?.result?.columns?.ctime != null"
}
},
{
"date": {
"field": "osquery.result.columns.mtime",
"target_field": "file.mtime",
"formats": ["UNIX"],
"ignore_failure": true,
"if": "ctx?.osquery?.result?.columns?.mtime != null"
}
},
{
"set": {
"field": "file.directory",
"value": "{{osquery.result.columns.directory}}",
"if": "ctx?.osquery?.result?.columns?.directory != null"
}
},
{
"set": {
"field": "file.name",
"value": "{{osquery.result.columns.filename}}",
"if": "ctx?.osquery?.result?.columns?.filename != null"
}
},
{
"set": {
"field": "file.gid",
"value": "{{osquery.result.columns.gid}}",
"if": "ctx?.osquery?.result?.columns?.gid != null"
}
},
{
"set": {
"field": "file.inode",
"value": "{{osquery.result.columns.inode}}",
"if": "ctx?.osquery?.result?.columns?.inode != null"
}
},
{
"set": {
"field": "file.mode",
"value": "{{osquery.result.columns.mode}}",
"if": "ctx?.osquery?.result?.columns?.mode != null"
}
},
{
"set": {
"field": "file.path",
"value": "{{osquery.result.columns.path}}",
"if": "ctx?.osquery?.result?.columns?.path != null"
}
},
{
"set": {
"field": "file.size",
"value": "{{osquery.result.columns.size}}",
"if": "ctx?.osquery?.result?.columns?.size != null"
}
},
{
"set": {
"field": "file.type",
"value": "{{osquery.result.columns.type}}",
"if": "ctx?.osquery?.result?.columns?.type != null"
}
},
{
"set": {
"field": "file.uid",
"value": "{{osquery.result.columns.uid}}",
"if": "ctx?.osquery?.result?.columns?.uid != null"
}
},
{
"set": {
"field": "user.name",
"value": "{{osquery.result.decorations.username}}",
"if": "ctx?.osquery?.result?.decorations?.username != null"
}
},
{
"append": {
"field": "related.user",
"value": "{{user.name}}",
"if": "ctx?.user?.name != null"
}
},
{
"set": {
"field": "host.hostname",
"value": "{{osquery.result.host_identifier}}",
"if": "ctx?.osquery?.result?.host_identifier != null"
}
},
{
"set": {
"field": "host.id",
"value": "{{osquery.result.decorations.host_uuid}}",
"if": "ctx?.osquery?.result?.decorations?.host_uuid != null"
}
},
{
"set": {
"field": "process.name",
"value": "{{osquery.result.columns.process}}",
"if": "ctx?.osquery?.result?.columns?.process != null"
}
},
{
"set": {
"field": "url.full",
"value": "{{osquery.result.columns.source_url}}",
"if": "ctx?.osquery?.result?.columns?.source_url != null && ctx.osquery.result.columns.source_url != 'null'"
}
},
{
"set": {
"field": "rule.name",
"value": "{{osquery.result.name}}",
"if": "ctx?.osquery?.result?.name != null"
}
}
],
"on_failure" : [{
Expand Down
Loading

0 comments on commit 282b084

Please sign in to comment.