From 01ba124a85cf589a9e6582fccf3276f8fa924b41 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 4 Feb 2025 18:55:53 +0100 Subject: [PATCH 01/38] Add missing ECS mappings - box_events --- packages/box_events/data_stream/events/fields/ecs.yml | 7 +++++++ packages/box_events/docs/README.md | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 packages/box_events/data_stream/events/fields/ecs.yml diff --git a/packages/box_events/data_stream/events/fields/ecs.yml b/packages/box_events/data_stream/events/fields/ecs.yml new file mode 100644 index 00000000000..68030c5511f --- /dev/null +++ b/packages/box_events/data_stream/events/fields/ecs.yml @@ -0,0 +1,7 @@ +# This definition could be removed once Kibana constraint is updated +# to 8.15.2 or higher. "ecs@mappings" component template would define +# the correct dynamic template for it. +- external: ecs + name: threat.enrichments.indicator.first_seen +- external: ecs + name: threat.enrichments.indicator.last_seen diff --git a/packages/box_events/docs/README.md b/packages/box_events/docs/README.md index b24efb95035..ac56496e320 100644 --- a/packages/box_events/docs/README.md +++ b/packages/box_events/docs/README.md @@ -270,4 +270,6 @@ Preserves a raw copy of the original event, added to the field `event.original`. | related.description | Array of `description` derived from `threat[.enrichments].indicator.description` | keyword | | related.indicator_type | Array of `indicator_type` derived from `threat[.enrichments].indicator.type` | keyword | | related.location | Array of `location` derived from `related.ip` | geo_point | +| threat.enrichments.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.enrichments.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | From 001e81e589c1c5562727cf7325abb5c25dfc7549 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 4 Feb 2025 19:01:34 +0100 Subject: [PATCH 02/38] Add missing ECS mappings - claroty_ctd --- packages/claroty_ctd/data_stream/event/fields/ecs.yml | 6 ++++++ packages/claroty_ctd/docs/README.md | 1 + 2 files changed, 7 insertions(+) create mode 100644 packages/claroty_ctd/data_stream/event/fields/ecs.yml diff --git a/packages/claroty_ctd/data_stream/event/fields/ecs.yml b/packages/claroty_ctd/data_stream/event/fields/ecs.yml new file mode 100644 index 00000000000..7786c1b562c --- /dev/null +++ b/packages/claroty_ctd/data_stream/event/fields/ecs.yml @@ -0,0 +1,6 @@ +# This definition could be removed once Kibana constraint is updated +# to 8.15.2 or higher. "ecs@mappings" component template would define +# the correct dynamic template for it. +- external: ecs + name: threat.indicator.modified_at + diff --git a/packages/claroty_ctd/docs/README.md b/packages/claroty_ctd/docs/README.md index 903a2e5bb0c..84c6d69986a 100644 --- a/packages/claroty_ctd/docs/README.md +++ b/packages/claroty_ctd/docs/README.md @@ -717,6 +717,7 @@ An example event for `event` looks as following: | log.offset | Log offset. | long | | log.source.address | Source address from which the log event read/sent. | keyword | | tags | User defined tags. | keyword | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | ### Assets From a72f5b4e549ee50e12a51dbc293a3baa6172fb38 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 4 Feb 2025 19:03:11 +0100 Subject: [PATCH 03/38] Avoid using dynamic templates for flattened objects - crowdstrike --- packages/crowdstrike/data_stream/fdr/fields/fields.yml | 2 +- packages/crowdstrike/docs/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/crowdstrike/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/data_stream/fdr/fields/fields.yml index 7a27dc795e2..692a411263b 100644 --- a/packages/crowdstrike/data_stream/fdr/fields/fields.yml +++ b/packages/crowdstrike/data_stream/fdr/fields/fields.yml @@ -27,7 +27,7 @@ type: long - name: AsepWrittenCount type: long - - name: assessments.* + - name: assessments type: flattened - name: AssociatedFile type: keyword diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index 3972576da20..dd7b1aff00d 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -1662,7 +1662,7 @@ and/or `session_token`. | crowdstrike.__mv_aip | | keyword | | crowdstrike.__mv_discoverer_aid | | keyword | | crowdstrike.aipCount | | integer | -| crowdstrike.assessments.\* | | flattened | +| crowdstrike.assessments | | flattened | | crowdstrike.cid | | keyword | | crowdstrike.discovererCount | | integer | | crowdstrike.discoverer_aid | | keyword | From 69d5f8ad5500186876ae39e43c18158abd805551 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 12:03:52 +0100 Subject: [PATCH 04/38] Add missing ECS mappings - mimecast --- .../threat_intel_malware_customer/fields/ecs.yml | 8 ++++++++ .../data_stream/threat_intel_malware_grid/fields/ecs.yml | 8 ++++++++ packages/mimecast/docs/README.md | 4 ++++ 3 files changed, 20 insertions(+) create mode 100644 packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml create mode 100644 packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml new file mode 100644 index 00000000000..90ed56f864c --- /dev/null +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml @@ -0,0 +1,8 @@ +# This definition could be removed once Kibana constraint is updated +# to 8.15.2 or higher. "ecs@mappings" component template would define +# the correct dynamic template for it. +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.first_seen + diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml new file mode 100644 index 00000000000..90ed56f864c --- /dev/null +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml @@ -0,0 +1,8 @@ +# This definition could be removed once Kibana constraint is updated +# to 8.15.2 or higher. "ecs@mappings" component template would define +# the correct dynamic template for it. +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.first_seen + diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index 09f856d38ee..1883c3d2aa6 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -1018,6 +1018,8 @@ An example event for `threat_intel_malware_customer` looks as following: | mimecast.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | | mimecast.valid_from | The valid from date. | date | | mimecast.value | The value of the indicator. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | ### Threat Intel Feed Malware: Grid @@ -1134,6 +1136,8 @@ An example event for `threat_intel_malware_grid` looks as following: | mimecast.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | | mimecast.valid_from | The valid from date. | date | | mimecast.value | The value of the indicator. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | ### TTP Attachment Logs From ee105019fcbb978b4d602207f9f4394c2fccfb62 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 12:06:57 +0100 Subject: [PATCH 05/38] Fix sublime_security.email_message.headers.hops.fields group mappings - sublime_security --- .../email_message/fields/fields.yml | 20 +++++++++++++++++-- packages/sublime_security/docs/README.md | 3 ++- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/packages/sublime_security/data_stream/email_message/fields/fields.yml b/packages/sublime_security/data_stream/email_message/fields/fields.yml index ebd5e6a90f5..71481927b1b 100644 --- a/packages/sublime_security/data_stream/email_message/fields/fields.yml +++ b/packages/sublime_security/data_stream/email_message/fields/fields.yml @@ -641,9 +641,25 @@ - name: type type: keyword description: The type of authentication result, derived from the field name. + # https://github.com/elastic/kibana/pull/204104 + # Option 1: generate all keys as keywords under fields + # - name: fields + # type: object + # object_type: keyword + # object_type_mapping_type: "*" + # - name: fields.position + # # description: ? + # type: long # should be considered as keyword too? + # Option 2: keep position as long - name: fields - type: object - object_type: keyword + type: group + fields: + - name: "*" + type: object + object_type: keyword + - name: position + # description: ? + type: long - name: index type: long description: Index indicates the order in which a hop occurred from sender to recipient. diff --git a/packages/sublime_security/docs/README.md b/packages/sublime_security/docs/README.md index 80299296e24..23a1776031b 100644 --- a/packages/sublime_security/docs/README.md +++ b/packages/sublime_security/docs/README.md @@ -1222,7 +1222,8 @@ An example event for `email_message` looks as following: | sublime_security.email_message.headers.hops.authentication_results.spf_details.server.valid | Whether the domain is valid. | boolean | | sublime_security.email_message.headers.hops.authentication_results.spf_details.verdict | Verdict of the SPF. | keyword | | sublime_security.email_message.headers.hops.authentication_results.type | The type of authentication result, derived from the field name. | keyword | -| sublime_security.email_message.headers.hops.fields | | object | +| sublime_security.email_message.headers.hops.fields.\* | | object | +| sublime_security.email_message.headers.hops.fields.position | | long | | sublime_security.email_message.headers.hops.index | Index indicates the order in which a hop occurred from sender to recipient. | long | | sublime_security.email_message.headers.hops.received.additional.raw | The raw string for remaining additional clauses, such as transport information. | keyword | | sublime_security.email_message.headers.hops.received.id.raw | The raw string of 'id' section. | keyword | From 612ce1f0203bad3742eb8aa0236964fddc797887 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 12:09:46 +0100 Subject: [PATCH 06/38] Update event-groups ingest pipeline - teleport --- .../ingest_pipeline/event-groups.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml b/packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml index c595b7a8369..5dce8b6e750 100644 --- a/packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml +++ b/packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml @@ -872,14 +872,20 @@ processors: field: teleport.audit.aws_region target_field: cloud.region ignore_missing: true + # This was failing due to `cloud.region` already existed + override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.aws_service target_field: cloud.service.name ignore_missing: true + # This was failing due to `cloud.service.name` already existed + override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.aws_host target_field: cloud.instance.id ignore_missing: true + # This was failing due to `cloud.instance.id` already existed + override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.aws_assumed_role target_field: teleport.audit.app.aws.assumed_role @@ -968,6 +974,8 @@ processors: field: teleport.audit.db_gcp_instance_id target_field: cloud.instance.id ignore_missing: true + # This was failing due to `cloud.instance.id` already existed + override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.db_roles target_field: teleport.audit.database.roles @@ -1407,6 +1415,8 @@ processors: field: teleport.audit.instance_id target_field: cloud.instance.id ignore_missing: true + # This was failing due to `cloud.instance.id` already existed + override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.exit_code target_field: process.exit_code @@ -1426,11 +1436,17 @@ processors: field: teleport.audit.account_id target_field: cloud.account.id ignore_missing: true + # This was failing due to `cloud.account.id` already existed + override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.region target_field: cloud.region ignore_missing: true - ignore_failure: true + ignore_failure: true # it could already exist this field + # in case it fails previous rename processor, remove the field (not defined in the package) + - remove: + field: teleport.audit.region + ignore_missing: true - rename: field: teleport.audit.stdout target_field: teleport.audit.database.aws.ssm_run.stdout From 142034501c9d6a3a90455e079b4e6cf0cb302007 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 12:13:12 +0100 Subject: [PATCH 07/38] Add missing ECS field in latest_code_scanning transform - github --- .../elasticsearch/transform/latest_code_scanning/fields/ecs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/github/elasticsearch/transform/latest_code_scanning/fields/ecs.yml b/packages/github/elasticsearch/transform/latest_code_scanning/fields/ecs.yml index 8cfb2793292..d3155a2d1cd 100644 --- a/packages/github/elasticsearch/transform/latest_code_scanning/fields/ecs.yml +++ b/packages/github/elasticsearch/transform/latest_code_scanning/fields/ecs.yml @@ -38,3 +38,5 @@ name: rule.name - external: ecs name: tags +- external: ecs + name: message From ef021f2450e67748cca760ca644aa0d69941c12e Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 12:24:55 +0100 Subject: [PATCH 08/38] Update destination index transform - github --- .../elasticsearch/transform/latest_code_scanning/transform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml b/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml index 06958284992..98c3544a6ed 100644 --- a/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml +++ b/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml @@ -10,7 +10,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-github_latest.dest_code_scanning-1" + index: "logs-github_latest.dest_code_scanning-2" aliases: - alias: "logs-github_latest.code_scanning" move_on_creation: true From d048cc2a1b76e830e658faf55fbfdabc193ce7ec Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 12:28:18 +0100 Subject: [PATCH 09/38] Add missing ECS mappings - ti_anomali --- packages/ti_anomali/data_stream/intelligence/fields/ecs.yml | 6 ++++++ packages/ti_anomali/docs/README.md | 1 + 2 files changed, 7 insertions(+) create mode 100644 packages/ti_anomali/data_stream/intelligence/fields/ecs.yml diff --git a/packages/ti_anomali/data_stream/intelligence/fields/ecs.yml b/packages/ti_anomali/data_stream/intelligence/fields/ecs.yml new file mode 100644 index 00000000000..7786c1b562c --- /dev/null +++ b/packages/ti_anomali/data_stream/intelligence/fields/ecs.yml @@ -0,0 +1,6 @@ +# This definition could be removed once Kibana constraint is updated +# to 8.15.2 or higher. "ecs@mappings" component template would define +# the correct dynamic template for it. +- external: ecs + name: threat.indicator.modified_at + diff --git a/packages/ti_anomali/docs/README.md b/packages/ti_anomali/docs/README.md index 2a4012f3aa0..274cd88f7a4 100644 --- a/packages/ti_anomali/docs/README.md +++ b/packages/ti_anomali/docs/README.md @@ -180,6 +180,7 @@ An example event for `intelligence` looks as following: | labels.is_ioc_transform_source | Indicates whether an IOC is in the raw source data stream, or the in latest destination index. | constant_keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | ### Anomali ThreatStream via the Elastic Extension From 0abc3c4f2da3ccbd94bf7695a48b1b393d06b100 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 16:03:22 +0100 Subject: [PATCH 10/38] Add mapping for threat.indicator.url.original in transform - ti_custom --- .../ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml index e67b0f76c91..3e947dce788 100644 --- a/packages/ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml +++ b/packages/ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -42,6 +42,8 @@ type: keyword - name: threat.indicator.url.full type: keyword +- name: threat.indicator.url.original + type: wildcard # Below fields to be moved into base-fields.yml after kibana.version changed to >= 8.14 # Related to fix: https://github.com/elastic/kibana/pull/177608 - name: event.module From 0bcb54c80cbf767ef579cd9c115de1829949b1c6 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 16:10:02 +0100 Subject: [PATCH 11/38] Add missing field mappings in transforms - tychon --- packages/tychon/elasticsearch/transform/arp/fields/ecs.yml | 2 ++ .../tychon/elasticsearch/transform/browser/fields/ecs.yml | 2 ++ .../tychon/elasticsearch/transform/ciphers/fields/ecs.yml | 4 ++++ packages/tychon/elasticsearch/transform/coams/fields/ecs.yml | 2 ++ packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml | 2 ++ packages/tychon/elasticsearch/transform/cve/fields/ecs.yml | 2 ++ packages/tychon/elasticsearch/transform/epp/fields/ecs.yml | 2 ++ .../elasticsearch/transform/exposedservice/fields/ecs.yml | 2 ++ .../transform/externaldevicecontrol/fields/ecs.yml | 2 ++ .../tychon/elasticsearch/transform/features/fields/ecs.yml | 2 ++ .../tychon/elasticsearch/transform/harddrive/fields/ecs.yml | 2 ++ .../tychon/elasticsearch/transform/hardware/fields/ecs.yml | 2 ++ packages/tychon/elasticsearch/transform/host/fields/ecs.yml | 2 ++ .../elasticsearch/transform/networkadapter/fields/ecs.yml | 2 ++ .../elasticsearch/transform/softwareinventory/fields/ecs.yml | 2 ++ packages/tychon/elasticsearch/transform/stig/fields/ecs.yml | 2 ++ .../tychon/elasticsearch/transform/systemcerts/fields/ecs.yml | 2 ++ packages/tychon/elasticsearch/transform/volume/fields/ecs.yml | 2 ++ 18 files changed, 38 insertions(+) diff --git a/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml b/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml index 4e9268e07b5..4e57f8022fd 100644 --- a/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml @@ -68,3 +68,5 @@ name: network.type - external: ecs name: tags +- external: ecs + name: related.ip # should it be kept as keyword instead of IP ? Would that be a breaking change? diff --git a/packages/tychon/elasticsearch/transform/browser/fields/ecs.yml b/packages/tychon/elasticsearch/transform/browser/fields/ecs.yml index 48cfb3f77fc..bb8fd831b87 100644 --- a/packages/tychon/elasticsearch/transform/browser/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/browser/fields/ecs.yml @@ -80,3 +80,5 @@ name: tags - external: ecs name: tls.version_protocol +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/ciphers/fields/ecs.yml b/packages/tychon/elasticsearch/transform/ciphers/fields/ecs.yml index 2c27a702b35..0918c087d6b 100644 --- a/packages/tychon/elasticsearch/transform/ciphers/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/ciphers/fields/ecs.yml @@ -96,6 +96,8 @@ name: process.user.name - external: ecs name: server.address +- external: ecs + name: server.ip # previously it was set as keyword but now it would be type IP, would that be a breaking change? - external: ecs name: server.port - external: ecs @@ -108,3 +110,5 @@ name: tls.client.supported_ciphers - external: ecs name: url.full +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/coams/fields/ecs.yml b/packages/tychon/elasticsearch/transform/coams/fields/ecs.yml index 31a7235135f..5cdec45a982 100644 --- a/packages/tychon/elasticsearch/transform/coams/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/coams/fields/ecs.yml @@ -60,3 +60,5 @@ name: log.file.path - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml index 31a7235135f..5cdec45a982 100644 --- a/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml @@ -60,3 +60,5 @@ name: log.file.path - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/cve/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve/fields/ecs.yml index e079a962770..c3ff3d48d04 100644 --- a/packages/tychon/elasticsearch/transform/cve/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/cve/fields/ecs.yml @@ -84,3 +84,5 @@ name: vulnerability.score.version - external: ecs name: vulnerability.severity +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml b/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml index 7d45d9509be..bc51fe56fe4 100644 --- a/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml @@ -70,3 +70,5 @@ name: package.type - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/exposedservice/fields/ecs.yml b/packages/tychon/elasticsearch/transform/exposedservice/fields/ecs.yml index 0bfdefbb6c4..c94861ccf34 100644 --- a/packages/tychon/elasticsearch/transform/exposedservice/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/exposedservice/fields/ecs.yml @@ -86,3 +86,5 @@ name: tags - external: ecs name: user.name +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/externaldevicecontrol/fields/ecs.yml b/packages/tychon/elasticsearch/transform/externaldevicecontrol/fields/ecs.yml index 22e6faaced3..7f69b33c3c4 100644 --- a/packages/tychon/elasticsearch/transform/externaldevicecontrol/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/externaldevicecontrol/fields/ecs.yml @@ -64,3 +64,5 @@ name: log.file.path - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/features/fields/ecs.yml b/packages/tychon/elasticsearch/transform/features/fields/ecs.yml index 7d45d9509be..bc51fe56fe4 100644 --- a/packages/tychon/elasticsearch/transform/features/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/features/fields/ecs.yml @@ -70,3 +70,5 @@ name: package.type - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/harddrive/fields/ecs.yml b/packages/tychon/elasticsearch/transform/harddrive/fields/ecs.yml index 31a7235135f..634e60533fa 100644 --- a/packages/tychon/elasticsearch/transform/harddrive/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/harddrive/fields/ecs.yml @@ -60,3 +60,5 @@ name: log.file.path - external: ecs name: tags +- external: ecs + name: related.ip # previously it was set as keyword but now it would be type IP, would that be a breaking change? diff --git a/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml b/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml index dafa90e8982..105db0e2f56 100644 --- a/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml @@ -66,3 +66,5 @@ name: log.file.path - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/host/fields/ecs.yml b/packages/tychon/elasticsearch/transform/host/fields/ecs.yml index 857122fb420..36626e11ce6 100644 --- a/packages/tychon/elasticsearch/transform/host/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/host/fields/ecs.yml @@ -32,3 +32,5 @@ name: log.file.path - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/networkadapter/fields/ecs.yml b/packages/tychon/elasticsearch/transform/networkadapter/fields/ecs.yml index 2ac6aff0189..db2562fe89e 100644 --- a/packages/tychon/elasticsearch/transform/networkadapter/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/networkadapter/fields/ecs.yml @@ -32,3 +32,5 @@ name: log.file.path - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/softwareinventory/fields/ecs.yml b/packages/tychon/elasticsearch/transform/softwareinventory/fields/ecs.yml index b4846edeb05..1c3d6ba1689 100644 --- a/packages/tychon/elasticsearch/transform/softwareinventory/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/softwareinventory/fields/ecs.yml @@ -76,3 +76,5 @@ name: package.version - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml b/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml index 464da8ce398..628c74118ed 100644 --- a/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml @@ -74,3 +74,5 @@ name: rule.name - external: ecs name: tags +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/systemcerts/fields/ecs.yml b/packages/tychon/elasticsearch/transform/systemcerts/fields/ecs.yml index f0f7dede28a..f7a8ed20a47 100644 --- a/packages/tychon/elasticsearch/transform/systemcerts/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/systemcerts/fields/ecs.yml @@ -106,3 +106,5 @@ name: tags - external: ecs name: url.full +- external: ecs + name: related.ip diff --git a/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml b/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml index 31a7235135f..5cdec45a982 100644 --- a/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml @@ -60,3 +60,5 @@ name: log.file.path - external: ecs name: tags +- external: ecs + name: related.ip From f74e314dfc1da7ae9a5245204476f145a17d9b2f Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 16:11:33 +0100 Subject: [PATCH 12/38] Add missing field mappings in transforms - wiz --- .../latest_cdr_misconfigurations/fields/ecs.yml | 4 ++++ .../latest_cdr_vulnerabilities/fields/fields.yml | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml index 291b675502b..4cb860dea83 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml @@ -28,3 +28,7 @@ external: ecs - name: observer.vendor external: ecs +- name: message + external: ecs +- name: ecs.version + external: ecs diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml index 38aa91efa9e..b7c6b004465 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -6,6 +6,8 @@ external: ecs - name: cloud.region external: ecs +- name: device.id + external: ecs - name: package.name external: ecs - name: package.version @@ -14,6 +16,8 @@ external: ecs - name: vulnerability.id external: ecs +- name: vulnerability.reference + external: ecs - name: vulnerability.score.base external: ecs - name: vulnerability.score.version @@ -34,6 +38,14 @@ external: ecs - name: event.type external: ecs +- name: ecs.version + external: ecs +- name: tags + external: ecs +- name: related.ip + external: ecs # should it be keyword instead of IP ? Would this be breaking change? +- name: message + external: ecs - name: observer.vendor external: ecs - name: wiz From 698dbe9c11aef27d1baa4528e1171894ee2efca0 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 17:45:10 +0100 Subject: [PATCH 13/38] Add changelog entries --- packages/box_events/changelog.yml | 5 +++++ packages/box_events/manifest.yml | 2 +- packages/claroty_ctd/changelog.yml | 5 +++++ packages/claroty_ctd/manifest.yml | 2 +- packages/crowdstrike/changelog.yml | 5 +++++ packages/crowdstrike/manifest.yml | 2 +- packages/github/changelog.yml | 5 +++++ packages/github/manifest.yml | 2 +- packages/mimecast/changelog.yml | 5 +++++ packages/mimecast/manifest.yml | 2 +- packages/sublime_security/changelog.yml | 5 +++++ packages/sublime_security/manifest.yml | 2 +- packages/ti_anomali/changelog.yml | 5 +++++ packages/ti_anomali/manifest.yml | 2 +- packages/ti_custom/changelog.yml | 5 +++++ packages/ti_custom/manifest.yml | 2 +- packages/tychon/changelog.yml | 5 +++++ packages/tychon/manifest.yml | 2 +- packages/wiz/changelog.yml | 5 +++++ packages/wiz/manifest.yml | 2 +- 20 files changed, 60 insertions(+), 10 deletions(-) diff --git a/packages/box_events/changelog.yml b/packages/box_events/changelog.yml index b6bddd25d3f..cf7a88c3cb0 100644 --- a/packages/box_events/changelog.yml +++ b/packages/box_events/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.11.1" + changes: + - description: Add missing ECS mappings + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "2.11.0" changes: - description: Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error". diff --git a/packages/box_events/manifest.yml b/packages/box_events/manifest.yml index 19349884e3f..64410a128af 100644 --- a/packages/box_events/manifest.yml +++ b/packages/box_events/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: box_events title: Box Events -version: "2.11.0" +version: "2.11.1" description: "Collect logs from Box with Elastic Agent" type: integration categories: diff --git a/packages/claroty_ctd/changelog.yml b/packages/claroty_ctd/changelog.yml index ec8d8fdcbdf..4726408a9a0 100644 --- a/packages/claroty_ctd/changelog.yml +++ b/packages/claroty_ctd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.4.1" + changes: + - description: Add missing ECS mappings + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "0.4.0" changes: - description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error". diff --git a/packages/claroty_ctd/manifest.yml b/packages/claroty_ctd/manifest.yml index 1b0e411f6f3..8292c52a6a5 100644 --- a/packages/claroty_ctd/manifest.yml +++ b/packages/claroty_ctd/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.4 name: claroty_ctd title: Claroty CTD -version: 0.4.0 +version: 0.4.1 description: Collect logs from Claroty CTD using Elastic Agent. type: integration categories: diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 1b50687f103..40b4c80560a 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.49.2" + changes: + - description: Avoid using dynamic template for flattened fields + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "1.49.1" changes: - description: Fix network direction handling for FDR data stream. diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 6e6fb6836ee..bb9c37c7c94 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.49.1" +version: "1.49.2" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index bb839b37dbc..742b0a09b44 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.1" + changes: + - description: Add missing ECS field in latest_code_scanning transform + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "2.3.0" changes: - description: Do not remove `event.original` in main ingest pipeline. diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index 1aacb1290a3..2077caa4370 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,6 +1,6 @@ name: github title: GitHub -version: "2.3.0" +version: "2.3.1" description: Collect logs from GitHub with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index f612b4ebfb8..bd2a8ee73b3 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.4.4" + changes: + - description: Add missing ECS field mappings + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "2.4.3" changes: - description: Fix rendering of CEL programs in configuration. diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index fb2ec29d2c3..0682dacc4da 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: mimecast title: "Mimecast" -version: "2.4.3" +version: "2.4.4" description: Collect logs from Mimecast with Elastic Agent. type: integration categories: ["security", "email_security"] diff --git a/packages/sublime_security/changelog.yml b/packages/sublime_security/changelog.yml index 71f74f0d760..14e013d8266 100644 --- a/packages/sublime_security/changelog.yml +++ b/packages/sublime_security/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.4.1" + changes: + - description: Fix sublime_security.email_message.headers.hops.fields group mappings + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "1.4.0" changes: - description: Add support for Access Point ARN when collecting logs via the AWS S3 Bucket. diff --git a/packages/sublime_security/manifest.yml b/packages/sublime_security/manifest.yml index 9750e952fdf..52900367617 100644 --- a/packages/sublime_security/manifest.yml +++ b/packages/sublime_security/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.2.1 name: sublime_security title: Sublime Security -version: 1.4.0 +version: 1.4.1 description: Collect logs from Sublime Security with Elastic Agent. type: integration categories: diff --git a/packages/ti_anomali/changelog.yml b/packages/ti_anomali/changelog.yml index 7ca79e5676a..7a777fc2d6d 100644 --- a/packages/ti_anomali/changelog.yml +++ b/packages/ti_anomali/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.1" + changes: + - description: Add missing ECS field in intelligence datastream + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "1.25.0" changes: - description: Do not remove `event.original` in main ingest pipeline. diff --git a/packages/ti_anomali/manifest.yml b/packages/ti_anomali/manifest.yml index 2cc2711a022..deb52e44070 100644 --- a/packages/ti_anomali/manifest.yml +++ b/packages/ti_anomali/manifest.yml @@ -1,6 +1,6 @@ name: ti_anomali title: Anomali -version: "1.25.0" +version: "1.25.1" description: Ingest threat intelligence indicators from Anomali with Elastic Agent. type: integration format_version: 3.0.2 diff --git a/packages/ti_custom/changelog.yml b/packages/ti_custom/changelog.yml index d5ff18b9c5c..c0fbc407503 100644 --- a/packages/ti_custom/changelog.yml +++ b/packages/ti_custom/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.7.1" + changes: + - description: Add mapping for threat.indicator.url.original in transform + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "0.7.0" changes: - description: Add mapping for log file fingerprint. diff --git a/packages/ti_custom/manifest.yml b/packages/ti_custom/manifest.yml index bbed4925f04..f78885242d2 100644 --- a/packages/ti_custom/manifest.yml +++ b/packages/ti_custom/manifest.yml @@ -3,7 +3,7 @@ name: ti_custom title: Custom Threat Intelligence description: Ingest threat intelligence data in STIX 2.1 format with Elastic Agent type: integration -version: 0.7.0 +version: 0.7.1 categories: - custom - security diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml index 67b3945590c..a9ec0243876 100644 --- a/packages/tychon/changelog.yml +++ b/packages/tychon/changelog.yml @@ -1,3 +1,8 @@ +- version: "0.2.2" + changes: + - description: Add missing field mappings in transforms + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "0.2.1" changes: - description: Fix broken links in Security Service integrations packages. diff --git a/packages/tychon/manifest.yml b/packages/tychon/manifest.yml index 678f6f54bee..8f019d5d7db 100644 --- a/packages/tychon/manifest.yml +++ b/packages/tychon/manifest.yml @@ -2,7 +2,7 @@ format_version: 3.2.2 name: tychon type: integration title: "TYCHON Agentless" -version: 0.2.1 +version: 0.2.2 source: license: "Elastic-2.0" description: Collect complete master endpoint datasets including vulnerability and STIG to comply with DISA endpoint requirements and C2C without adding services to your endpoints. diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 4219e5238c2..ad51740f2c5 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.7.1" + changes: + - description: Add missing field mappings in transforms + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 - version: "2.7.0" changes: - description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error". diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index 49cc058e8a8..b4b19fb002c 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: wiz title: Wiz -version: "2.7.0" +version: "2.7.1" description: Collect logs from Wiz with Elastic Agent. type: integration categories: From 14691581887a03d6d58d5b599e860442b86799c4 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 5 Feb 2025 19:43:08 +0100 Subject: [PATCH 14/38] Update logstash owner in manifest (cherry picked from commit fa96beb000d674ed0264ea61be713bd0109d3faf) --- packages/logstash/manifest.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/logstash/manifest.yml b/packages/logstash/manifest.yml index 7ac30bfa4a5..b596b8f1980 100644 --- a/packages/logstash/manifest.yml +++ b/packages/logstash/manifest.yml @@ -18,7 +18,7 @@ conditions: elastic: subscription: basic owner: - github: elastic/stack-monitoring + github: elastic/logstash type: elastic screenshots: - src: /img/kibana-logstash-log.png @@ -131,4 +131,3 @@ policy_templates: multi: false required: false show_user: false - \ No newline at end of file From a9736ccebf77b91da23a8059383cc2641576a694 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 6 Feb 2025 20:46:24 +0100 Subject: [PATCH 15/38] Remove non-working definition (commented) - sublime_security --- .../data_stream/email_message/fields/fields.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/packages/sublime_security/data_stream/email_message/fields/fields.yml b/packages/sublime_security/data_stream/email_message/fields/fields.yml index 71481927b1b..de19e8d284e 100644 --- a/packages/sublime_security/data_stream/email_message/fields/fields.yml +++ b/packages/sublime_security/data_stream/email_message/fields/fields.yml @@ -647,9 +647,6 @@ # type: object # object_type: keyword # object_type_mapping_type: "*" - # - name: fields.position - # # description: ? - # type: long # should be considered as keyword too? # Option 2: keep position as long - name: fields type: group From 2415ff25a98b680050874450c222ebe5b5fd5d45 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 7 Feb 2025 13:30:52 +0100 Subject: [PATCH 16/38] Test with elastic-package enabling mappings - PR 2381 5b3f7cdba24685a41bb116f37d13f2d4e04502d0 --- .buildkite/pipeline.yml | 2 ++ .buildkite/scripts/common.sh | 2 +- go.mod | 2 ++ go.sum | 4 ++-- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 29daa705014..8825ccd7bdd 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -30,6 +30,8 @@ env: ELASTIC_PACKAGE_DISABLE_ELASTIC_AGENT_WOLFI: "${ELASTIC_PACKAGE_DISABLE_ELASTIC_AGENT_WOLFI:-false}" # Disable checking for newer versions ELASTIC_PACKAGE_CHECK_UPDATE_DISABLED: "true" + # Select method to validate fields are documented + ELASTIC_PACKAGE_FIELD_VALIDATION_TEST_METHOD: "mappings" steps: - label: "Get reference from target branch" diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh index 9bcad94f6c6..386e0fba6c8 100755 --- a/.buildkite/scripts/common.sh +++ b/.buildkite/scripts/common.sh @@ -757,7 +757,7 @@ teardown_test_package() { } list_all_directories() { - find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort + find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort |grep -E '^(box_events|claroty_ctd|crowdstrike|github|mimecast|sublime_security|teleport|ti_anomali|ti_custom|tychon|wiz)$' } check_package() { diff --git a/go.mod b/go.mod index 40d68e4d36e..da162a949ab 100644 --- a/go.mod +++ b/go.mod @@ -231,3 +231,5 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) + +replace github.com/elastic/elastic-package => github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246 diff --git a/go.sum b/go.sum index 3cc690a3c6e..bd7219e410a 100644 --- a/go.sum +++ b/go.sum @@ -125,8 +125,6 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0 h1:sx1lpZuTG5suJuvgix4FWQFCLFFbzkoOmPoHWYOPLCY= github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0/go.mod h1:2/30n+2QRzRzus4TPVUV1T3U/j8g2ItUgvP0pcpjLGk= -github.com/elastic/elastic-package v0.109.1 h1:ATZVgYOCI6L5Yr0NxjSX+MsuK4UvXkpu9tDkO4K2vgo= -github.com/elastic/elastic-package v0.109.1/go.mod h1:vmVYISfxBrl0ejjKbm/AG0drjrmevysVg2ZIP7yewLo= github.com/elastic/go-elasticsearch/v7 v7.17.10 h1:TCQ8i4PmIJuBunvBS6bwT2ybzVFxxUhhltAs3Gyu1yo= github.com/elastic/go-elasticsearch/v7 v7.17.10/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.4.2 h1:bPbGm8bUd8rxzSswFOqvQh1dAkKGkgAmrPxbUi+Y9+A= @@ -372,6 +370,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= +github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246 h1:EjWls8TjHBNk5E/caFYxZR7DkURTeDevDazWZgO1T7A= +github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246/go.mod h1:vmVYISfxBrl0ejjKbm/AG0drjrmevysVg2ZIP7yewLo= github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s= github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8= github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo= From 75c3ceca261629bd0498955eb83dfcee2a815935 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 7 Feb 2025 13:31:01 +0100 Subject: [PATCH 17/38] Revert "Update logstash owner in manifest" This reverts commit 14691581887a03d6d58d5b599e860442b86799c4. --- packages/logstash/manifest.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/logstash/manifest.yml b/packages/logstash/manifest.yml index b596b8f1980..7ac30bfa4a5 100644 --- a/packages/logstash/manifest.yml +++ b/packages/logstash/manifest.yml @@ -18,7 +18,7 @@ conditions: elastic: subscription: basic owner: - github: elastic/logstash + github: elastic/stack-monitoring type: elastic screenshots: - src: /img/kibana-logstash-log.png @@ -131,3 +131,4 @@ policy_templates: multi: false required: false show_user: false + \ No newline at end of file From 6325c32938ec34ba27cf520792c4294a36241e35 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 09:58:55 +0100 Subject: [PATCH 18/38] Update changelog descriptions Co-authored-by: Dan Kortschak --- packages/box_events/changelog.yml | 2 +- packages/claroty_ctd/changelog.yml | 2 +- packages/crowdstrike/changelog.yml | 2 +- packages/github/changelog.yml | 2 +- packages/mimecast/changelog.yml | 2 +- packages/sublime_security/changelog.yml | 2 +- packages/ti_anomali/changelog.yml | 2 +- packages/ti_custom/changelog.yml | 2 +- packages/tychon/changelog.yml | 2 +- packages/wiz/changelog.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/packages/box_events/changelog.yml b/packages/box_events/changelog.yml index cf7a88c3cb0..81d979bf959 100644 --- a/packages/box_events/changelog.yml +++ b/packages/box_events/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "2.11.1" changes: - - description: Add missing ECS mappings + - description: Add missing ECS mappings. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "2.11.0" diff --git a/packages/claroty_ctd/changelog.yml b/packages/claroty_ctd/changelog.yml index 7d93c1dacd7..0a61e8887e1 100644 --- a/packages/claroty_ctd/changelog.yml +++ b/packages/claroty_ctd/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "0.4.2" changes: - - description: Add missing ECS mappings + - description: Add missing ECS mappings. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "0.4.1" diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 768e56d71b8..fb055cec924 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "1.50.1" changes: - - description: Avoid using dynamic template for flattened fields + - description: Avoid using dynamic template for flattened fields. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "1.50.0" diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index e139025c014..3ae93a80b6c 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "2.3.2" changes: - - description: Add missing ECS field in latest_code_scanning transform + - description: Add missing ECS field in latest_code_scanning transform. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "2.3.1" diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index bd2a8ee73b3..c67331857ce 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "2.4.4" changes: - - description: Add missing ECS field mappings + - description: Add missing ECS field mappings. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "2.4.3" diff --git a/packages/sublime_security/changelog.yml b/packages/sublime_security/changelog.yml index 293df98d809..119f8e5f2b4 100644 --- a/packages/sublime_security/changelog.yml +++ b/packages/sublime_security/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "1.5.1" changes: - - description: Fix sublime_security.email_message.headers.hops.fields group mappings + - description: Fix `sublime_security.email_message.headers.hops.fields` group mappings. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "1.5.0" diff --git a/packages/ti_anomali/changelog.yml b/packages/ti_anomali/changelog.yml index e23a3389fed..a55fc413f26 100644 --- a/packages/ti_anomali/changelog.yml +++ b/packages/ti_anomali/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "1.25.2" changes: - - description: Add missing ECS field in intelligence datastream + - description: Add missing ECS field in intelligence datastream. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "1.25.1" diff --git a/packages/ti_custom/changelog.yml b/packages/ti_custom/changelog.yml index f6e45173d9e..e7746b13320 100644 --- a/packages/ti_custom/changelog.yml +++ b/packages/ti_custom/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "0.7.2" changes: - - description: Add mapping for threat.indicator.url.original in transform + - description: Add mapping for threat.indicator.url.original in transform. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "0.7.1" diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml index a9ec0243876..15d25a0b78e 100644 --- a/packages/tychon/changelog.yml +++ b/packages/tychon/changelog.yml @@ -1,6 +1,6 @@ - version: "0.2.2" changes: - - description: Add missing field mappings in transforms + - description: Add missing field mappings in transforms. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "0.2.1" diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index ad51740f2c5..e9debe50416 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "2.7.1" changes: - - description: Add missing field mappings in transforms + - description: Add missing field mappings in transforms. type: bugfix link: http://github.com/elastic/integrations/pull/12624 - version: "2.7.0" From ca890675acea379260aaf9185831ca44e396a41c Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 10:06:30 +0100 Subject: [PATCH 19/38] Remove blank lines --- .../data_stream/threat_intel_malware_customer/fields/ecs.yml | 1 - .../data_stream/threat_intel_malware_grid/fields/ecs.yml | 1 - packages/ti_anomali/data_stream/intelligence/fields/ecs.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml index 90ed56f864c..a90546389d4 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml @@ -5,4 +5,3 @@ name: threat.indicator.modified_at - external: ecs name: threat.indicator.first_seen - diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml index 90ed56f864c..a90546389d4 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml @@ -5,4 +5,3 @@ name: threat.indicator.modified_at - external: ecs name: threat.indicator.first_seen - diff --git a/packages/ti_anomali/data_stream/intelligence/fields/ecs.yml b/packages/ti_anomali/data_stream/intelligence/fields/ecs.yml index 7786c1b562c..7c38c80bc26 100644 --- a/packages/ti_anomali/data_stream/intelligence/fields/ecs.yml +++ b/packages/ti_anomali/data_stream/intelligence/fields/ecs.yml @@ -3,4 +3,3 @@ # the correct dynamic template for it. - external: ecs name: threat.indicator.modified_at - From 2b184110b122ca07096b3cbefb40d3427c402e30 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 12 Feb 2025 13:25:24 +1030 Subject: [PATCH 20/38] add date processors --- .../elasticsearch/ingest_pipeline/default.yml | 26 +++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 12 +++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml index ed9382709ce..b0c0baca2dc 100644 --- a/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -889,6 +889,32 @@ processors: } ctx.threat.indicator.type = "software"; ctx.related.indicator_type.add(ctx.threat.indicator.type); + - date: + field: threat.indicator.first_seen + tag: date_threat_indicator_first_seen + target_field: threat.indicator.first_seen + formats: + - ISO8601 + if: ctx.threat?.indicator?.first_seen != null && ctx.threat.indicator.first_seen != '' + on_failure: + - remove: + field: threat.indicator.first_seen + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: threat.indicator.last_seen + tag: date_threat_indicator_last_seen + target_field: threat.indicator.last_seen + formats: + - ISO8601 + if: ctx.threat?.indicator?.last_seen != null && ctx.threat.indicator.last_seen != '' + on_failure: + - remove: + field: threat.indicator.last_seen + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' # Remove or mark invalid IPs. - foreach: diff --git a/packages/ti_anomali/data_stream/intelligence/elasticsearch/ingest_pipeline/default.yml b/packages/ti_anomali/data_stream/intelligence/elasticsearch/ingest_pipeline/default.yml index 60397ffa261..88040c3524c 100644 --- a/packages/ti_anomali/data_stream/intelligence/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_anomali/data_stream/intelligence/elasticsearch/ingest_pipeline/default.yml @@ -31,10 +31,17 @@ processors: target_field: event.created ignore_missing: true - - rename: - tag: rename_json_modified_ts + - date: + tag: date_json_modified_ts field: json.modified_ts target_field: threat.indicator.modified_at + formats: + - ISO8601 + if: ctx.json?.modified_ts != null && ctx.json.modified_ts != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - script: tag: script_calculate_deletion_scheduled_at @@ -558,6 +565,7 @@ processors: - json.locations - json.meta.detail - json.meta.detail2 + - json.modified_ts - json.resource_uri - json.sort - json.source_locations From 18bc8ede1496e580bc4348d655da06260610eaf1 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 11:22:59 +0100 Subject: [PATCH 21/38] Update tests box_events --- .../test-malicious-content.log-expected.json | 10 +++--- .../data_stream/events/sample_event.json | 34 ++++++++++--------- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json index 2b3c51b857d..d9570cab769 100644 --- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json +++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json @@ -116,7 +116,7 @@ "number": 35908 }, "description": "BadMalware, MalwareBot4000, malware.exe Detected by Box Shield from IP 67.43.156.0. This is a really bad file see https://some.link/xyz", - "first_seen": "2022-10-19T11:37:05-08:10", + "first_seen": "2022-10-19T19:47:05.000Z", "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -127,7 +127,7 @@ } }, "ip": "67.43.156.0", - "last_seen": "2022-10-20T11:37:05-08:10", + "last_seen": "2022-10-20T19:47:05.000Z", "provider": "Service name", "reference": "https://some.link/xyz", "type": "software" @@ -241,8 +241,8 @@ "threat": { "indicator": { "description": "BadMalware, MalwareBot4000, malware.exe Detected by Box Shield from IP Unknown IP. This is a really bad file see https://some.link/xyz", - "first_seen": "2022-10-19T11:37:05-08:10", - "last_seen": "2022-10-20T11:37:05-08:10", + "first_seen": "2022-10-19T19:47:05.000Z", + "last_seen": "2022-10-20T19:47:05.000Z", "provider": "Service name", "reference": "https://some.link/xyz", "type": "software" @@ -257,4 +257,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/box_events/data_stream/events/sample_event.json b/packages/box_events/data_stream/events/sample_event.json index 79d2754d747..8e90a5818e9 100644 --- a/packages/box_events/data_stream/events/sample_event.json +++ b/packages/box_events/data_stream/events/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2019-12-08T08:00:00.000Z", "agent": { - "ephemeral_id": "c9ccc0f9-8d0e-4bfa-b365-1fbb4bc530c6", - "id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b", - "name": "docker-fleet-agent", + "ephemeral_id": "026dd623-8d74-4379-a43f-13cb90ac51ba", + "id": "83c9c411-7b8e-4819-9156-80e202799644", + "name": "elastic-agent-17757", "type": "filebeat", - "version": "8.8.1" + "version": "8.13.0" }, "box": { "additional_details": { @@ -53,16 +53,16 @@ }, "data_stream": { "dataset": "box_events.events", - "namespace": "ep", + "namespace": "76828", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b", + "id": "83c9c411-7b8e-4819-9156-80e202799644", "snapshot": false, - "version": "8.8.1" + "version": "8.13.0" }, "event": { "action": "SHIELD_ALERT", @@ -71,10 +71,10 @@ "threat", "file" ], - "created": "2023-09-21T01:54:30.945Z", + "created": "2025-02-12T10:21:05.215Z", "dataset": "box_events.events", "id": "97f1b31f-f143-4777-81f8-1b557b39ca33", - "ingested": "2023-09-21T01:54:31Z", + "ingested": "2025-02-12T10:21:08Z", "kind": "alert", "risk_score": 77, "type": [ @@ -85,19 +85,21 @@ "host": { "architecture": "x86_64", "containerized": false, - "hostname": "docker-fleet-agent", - "id": "1de1e3b6561d4ccb9731539ce2f3baf3", + "hostname": "elastic-agent-17757", + "id": "8259e024976a406e8a54cdbffeb84fec", "ip": [ - "172.19.0.7" + "172.19.0.2", + "172.18.0.6" ], "mac": [ - "02-42-AC-13-00-07" + "02-42-AC-12-00-06", + "02-42-AC-13-00-02" ], - "name": "docker-fleet-agent", + "name": "elastic-agent-17757", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "6.8.0-52-generic", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -186,4 +188,4 @@ "name": "Some user" } } -} \ No newline at end of file +} From 58077e41471d6089c72a77237963fb314ed4f1cb Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 11:30:17 +0100 Subject: [PATCH 22/38] Regenerate test data for ti_anomali --- .../test-itype-apt-domain.json-expected.json | 6 +- .../test-itype-apt-email.json-expected.json | 6 +- .../test-itype-apt-ip.json-expected.json | 6 +- .../test-itype-apt-url.json-expected.json | 6 +- .../test-itype-bot-ip.json-expected.json | 6 +- .../test-itype-c2-domain.json-expected.json | 6 +- .../test-itype-c2-ip.json-expected.json | 4 +- .../test-itype-c2-url.json-expected.json | 6 +- .../test-itype-i2p-ip.json-expected.json | 4 +- .../test-itype-mal-domain.json-expected.json | 4 +- .../test-itype-mal-email.json-expected.json | 4 +- ...est-itype-mal-file-name.json-expected.json | 6 +- .../test-itype-mal-ip.json-expected.json | 4 +- .../test-itype-mal-ipv6.json-expected.json | 6 +- .../test-itype-mal-md5.json-expected.json | 6 +- .../test-itype-mal-ssdeep.json-expected.json | 6 +- .../test-itype-mal-url.json-expected.json | 4 +- .../test-itype-parked-ip.json-expected.json | 4 +- .../test-itype-phish-email.json-expected.json | 6 +- .../test-itype-phish-ip.json-expected.json | 6 +- .../test-itype-phish-md5.json-expected.json | 6 +- .../test-itype-phish-url.json-expected.json | 6 +- .../test-itype-scan-ip.json-expected.json | 6 +- .../test-itype-spam-domain.json-expected.json | 6 +- .../test-itype-ssh-ip.json-expected.json | 4 +- ...itype-suspicious-domain.json-expected.json | 6 +- .../test-itype-tor-ip.json-expected.json | 6 +- ...ype-torrent-tracker-url.json-expected.json | 4 +- ...pe-whois-privacy-domain.json-expected.json | 4 +- .../intelligence/sample_event.json | 60 +++++++++---------- 30 files changed, 107 insertions(+), 107 deletions(-) diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-domain.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-domain.json-expected.json index ad7ffb62bc3..a320acb511f 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-domain.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-domain.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:20.460979459Z", + "@timestamp": "2025-02-12T10:24:06.784043054Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 60, - "deletion_scheduled_at": "2024-12-28T06:39:20.460979459Z", + "deletion_scheduled_at": "2025-05-08T10:24:06.784043054Z", "expiration_ts": "9999-12-31T00:00:00.000Z", "feed_id": 0, "id": "232020126", @@ -58,4 +58,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-email.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-email.json-expected.json index d917dacbf00..c9db725464b 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-email.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-email.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:20.788005289Z", + "@timestamp": "2025-02-12T10:24:07.348248898Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 12, - "deletion_scheduled_at": "2024-12-28T06:39:20.788005289Z", + "deletion_scheduled_at": "2025-05-08T10:24:07.348248898Z", "expiration_ts": "9999-12-31T00:00:00.000Z", "feed_id": 0, "id": "235548914", @@ -58,4 +58,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-ip.json-expected.json index 26e17b34899..ac16b247e9e 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-ip.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:21.088977594Z", + "@timestamp": "2025-02-12T10:24:07.906457098Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": -1, - "deletion_scheduled_at": "2024-12-28T06:39:21.088977594Z", + "deletion_scheduled_at": "2025-05-08T10:24:07.906457098Z", "expiration_ts": "9999-12-31T00:00:00.000Z", "feed_id": 0, "id": "235549247", @@ -56,4 +56,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-url.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-url.json-expected.json index 8d659ccb166..2b148eacd49 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-url.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-apt-url.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:21.381143835Z", + "@timestamp": "2025-02-12T10:24:08.460033038Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": -1, - "deletion_scheduled_at": "2024-12-28T06:39:21.381143835Z", + "deletion_scheduled_at": "2025-05-08T10:24:08.460033038Z", "expiration_ts": "9999-12-31T00:00:00.000Z", "feed_id": 0, "id": "235548934", @@ -62,4 +62,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-bot-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-bot-ip.json-expected.json index 4ef3f4deab1..bbd62b4bdc4 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-bot-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-bot-ip.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:21.687060318Z", + "@timestamp": "2025-02-12T10:24:09.014353190Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:21.687060318Z", + "deletion_scheduled_at": "2025-05-08T10:24:09.01435319Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184983050", @@ -62,4 +62,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-domain.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-domain.json-expected.json index d7dbead3301..40087521090 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-domain.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-domain.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:21.992278865Z", + "@timestamp": "2025-02-12T10:24:09.580358848Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:21.992278865Z", + "deletion_scheduled_at": "2025-05-08T10:24:09.580358848Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184979083", @@ -65,4 +65,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-ip.json-expected.json index cef31980589..8140a5e4ff1 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-ip.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:22.334440753Z", + "@timestamp": "2025-02-12T10:24:10.159539369Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -56,4 +56,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-url.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-url.json-expected.json index 3158848fe94..80894af8132 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-url.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-c2-url.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:22.700703177Z", + "@timestamp": "2025-02-12T10:24:10.714019424Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:22.700703177Z", + "deletion_scheduled_at": "2025-05-08T10:24:10.714019424Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184992550", @@ -72,4 +72,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-i2p-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-i2p-ip.json-expected.json index 11914d96b6c..3dcbc336ee1 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-i2p-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-i2p-ip.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:23.091522426Z", + "@timestamp": "2025-02-12T10:24:11.276647645Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -56,4 +56,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-domain.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-domain.json-expected.json index f89b44f7ab6..716eb7c236a 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-domain.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-domain.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:23.450799406Z", + "@timestamp": "2025-02-12T10:24:11.893969228Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -79,4 +79,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-email.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-email.json-expected.json index cf41342060b..367ef7c696e 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-email.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-email.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:23.855444173Z", + "@timestamp": "2025-02-12T10:24:12.496849702Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -61,4 +61,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-file-name.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-file-name.json-expected.json index ee2ad7d8fcf..d924ff48d54 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-file-name.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-file-name.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:24.257763584Z", + "@timestamp": "2025-02-12T10:24:13.123631052Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:24.257763584Z", + "deletion_scheduled_at": "2025-05-08T10:24:13.123631052Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184983854", @@ -61,4 +61,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ip.json-expected.json index 24479b2ec40..10c398f5266 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ip.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:24.609883642Z", + "@timestamp": "2025-02-12T10:24:13.684357072Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -56,4 +56,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ipv6.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ipv6.json-expected.json index 7ceb2945126..e615af79404 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ipv6.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ipv6.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:25.002468007Z", + "@timestamp": "2025-02-12T10:24:14.249507155Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 50, - "deletion_scheduled_at": "2024-12-28T06:39:25.002468007Z", + "deletion_scheduled_at": "2025-05-08T10:24:14.249507155Z", "expiration_ts": "9999-12-31T00:00:00.000Z", "feed_id": 0, "id": "231017345", @@ -56,4 +56,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-md5.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-md5.json-expected.json index b9195c572da..a31751c5a40 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-md5.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-md5.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:25.378615150Z", + "@timestamp": "2025-02-12T10:24:14.795435050Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 50, - "deletion_scheduled_at": "2024-12-28T06:39:25.37861515Z", + "deletion_scheduled_at": "2025-05-08T10:24:14.79543505Z", "expiration_ts": "9999-12-31T00:00:00.000Z", "feed_id": 0, "id": "184902936", @@ -64,4 +64,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ssdeep.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ssdeep.json-expected.json index 0053814b64d..087cfe5c079 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ssdeep.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-ssdeep.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:25.767980042Z", + "@timestamp": "2025-02-12T10:24:15.356495342Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:25.767980042Z", + "deletion_scheduled_at": "2025-05-08T10:24:15.356495342Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184982705", @@ -70,4 +70,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-url.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-url.json-expected.json index 61ca8fcf66e..272da8a371e 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-url.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-mal-url.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:26.176295215Z", + "@timestamp": "2025-02-12T10:24:15.917954795Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -62,4 +62,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-parked-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-parked-ip.json-expected.json index 52ea818fda9..1827e5831d0 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-parked-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-parked-ip.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:26.525135590Z", + "@timestamp": "2025-02-12T10:24:16.483238880Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -56,4 +56,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-email.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-email.json-expected.json index e885221d323..0212642173f 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-email.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-email.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:26.892105720Z", + "@timestamp": "2025-02-12T10:24:17.041793107Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 75, - "deletion_scheduled_at": "2024-12-28T06:39:26.89210572Z", + "deletion_scheduled_at": "2025-05-08T10:24:17.041793107Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184987648", @@ -61,4 +61,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-ip.json-expected.json index eaf4950e1e5..5830bd7aeec 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-ip.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:27.268837948Z", + "@timestamp": "2025-02-12T10:24:17.619996946Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:27.268837948Z", + "deletion_scheduled_at": "2025-05-08T10:24:17.619996946Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "185006459", @@ -71,4 +71,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-md5.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-md5.json-expected.json index d8969ec07ab..5d6e9929dec 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-md5.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-md5.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:27.610780038Z", + "@timestamp": "2025-02-12T10:24:18.180987785Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:27.610780038Z", + "deletion_scheduled_at": "2025-05-08T10:24:18.180987785Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184983671", @@ -69,4 +69,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-url.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-url.json-expected.json index cffff9ae7eb..b1de511406e 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-url.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-phish-url.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:27.986487043Z", + "@timestamp": "2025-02-12T10:24:18.740262134Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 84, - "deletion_scheduled_at": "2024-12-28T06:39:27.986487043Z", + "deletion_scheduled_at": "2025-05-08T10:24:18.740262134Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184982642", @@ -73,4 +73,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-scan-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-scan-ip.json-expected.json index 86f4f0c0047..13f11e882ee 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-scan-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-scan-ip.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:28.338664864Z", + "@timestamp": "2025-02-12T10:24:19.306536665Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:28.338664864Z", + "deletion_scheduled_at": "2025-05-08T10:24:19.306536665Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184982647", @@ -65,4 +65,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-spam-domain.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-spam-domain.json-expected.json index 9c185186817..723699e3ed2 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-spam-domain.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-spam-domain.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:28.691961888Z", + "@timestamp": "2025-02-12T10:24:19.877309600Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 90, - "deletion_scheduled_at": "2024-12-28T06:39:28.691961888Z", + "deletion_scheduled_at": "2025-05-08T10:24:19.8773096Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184982668", @@ -65,4 +65,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-ssh-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-ssh-ip.json-expected.json index 727a14691da..929c5b4402e 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-ssh-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-ssh-ip.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:29.092702718Z", + "@timestamp": "2025-02-12T10:24:20.439475656Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -56,4 +56,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-suspicious-domain.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-suspicious-domain.json-expected.json index 0e6965eb126..6b2a228416f 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-suspicious-domain.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-suspicious-domain.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:29.449770670Z", + "@timestamp": "2025-02-12T10:24:20.988134598Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 20, - "deletion_scheduled_at": "2024-12-28T06:39:29.44977067Z", + "deletion_scheduled_at": "2025-05-08T10:24:20.988134598Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184994924", @@ -73,4 +73,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-tor-ip.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-tor-ip.json-expected.json index f3f193d4093..561479130e5 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-tor-ip.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-tor-ip.json-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:29.824198928Z", + "@timestamp": "2025-02-12T10:24:21.552318146Z", "anomali": { "threatstream": { "can_add_public_tags": true, "confidence": 100, - "deletion_scheduled_at": "2024-12-28T06:39:29.824198928Z", + "deletion_scheduled_at": "2025-05-08T10:24:21.552318146Z", "expiration_ts": "2318-07-09T20:41:16.995Z", "feed_id": 0, "id": "184987219", @@ -72,4 +72,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-torrent-tracker-url.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-torrent-tracker-url.json-expected.json index 1e6d43281fe..392185cf9ef 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-torrent-tracker-url.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-torrent-tracker-url.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:30.192360979Z", + "@timestamp": "2025-02-12T10:24:22.112501258Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -62,4 +62,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-whois-privacy-domain.json-expected.json b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-whois-privacy-domain.json-expected.json index 3687f0f1bf6..40e728d89f3 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-whois-privacy-domain.json-expected.json +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/pipeline/test-itype-whois-privacy-domain.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-10-04T06:39:30.565913292Z", + "@timestamp": "2025-02-12T10:24:22.668187183Z", "anomali": { "threatstream": { "can_add_public_tags": true, @@ -82,4 +82,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_anomali/data_stream/intelligence/sample_event.json b/packages/ti_anomali/data_stream/intelligence/sample_event.json index 232d7ed381f..bb394660202 100644 --- a/packages/ti_anomali/data_stream/intelligence/sample_event.json +++ b/packages/ti_anomali/data_stream/intelligence/sample_event.json @@ -1,62 +1,62 @@ { - "@timestamp": "2024-10-02T16:04:31.789615115Z", + "@timestamp": "2025-02-12T10:26:45.318654640Z", "agent": { - "ephemeral_id": "bfe2b7b4-003a-49a1-b51b-e41ece98943b", - "id": "72cb3ab8-2baa-4ae5-9a62-ee752a56df42", - "name": "elastic-agent-85520", + "ephemeral_id": "434f328f-443d-4cd9-aad8-717d835a2312", + "id": "c48e3b22-841c-4ed3-ba7f-a039638b8e1b", + "name": "elastic-agent-54553", "type": "filebeat", - "version": "8.14.3" + "version": "8.13.0" }, "anomali": { "threatstream": { "can_add_public_tags": true, - "confidence": 60, - "deletion_scheduled_at": "2024-10-09T16:04:31.789615115Z", + "confidence": 12, + "deletion_scheduled_at": "2025-02-19T10:26:45.31865464Z", "expiration_ts": "9999-12-31T00:00:00.000Z", "feed_id": 0, - "id": "232020126", + "id": "235548914", "is_anonymous": false, "is_editable": false, "is_public": true, - "itype": "apt_domain", + "itype": "apt_email", "meta": { - "severity": "very-high" + "severity": "medium" }, - "owner_organization_id": 67, + "owner_organization_id": 70, "retina_confidence": -1, - "source_reported_confidence": 60, + "source_reported_confidence": 12, "status": "active", "threat_type": "apt", - "type": "domain", - "update_id": 100000001, - "uuid": "0921be47-9cc2-4265-b896-c62a7cb91042", - "value": "gen1xyz.com" + "type": "email", + "update_id": 100000002, + "uuid": "bc5a223e-f7a1-4acb-b50b-c81395e34218", + "value": "edc2@wsx.com" } }, "data_stream": { "dataset": "ti_anomali.intelligence", - "namespace": "49937", + "namespace": "29572", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "72cb3ab8-2baa-4ae5-9a62-ee752a56df42", + "id": "c48e3b22-841c-4ed3-ba7f-a039638b8e1b", "snapshot": false, - "version": "8.14.3" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2021-04-06T09:56:22.915Z", + "created": "2021-04-29T16:00:35.529Z", "dataset": "ti_anomali.intelligence", - "ingested": "2024-10-02T16:04:31Z", + "ingested": "2025-02-12T10:26:45Z", "kind": "enrichment", - "original": "{\"asn\":\"\",\"can_add_public_tags\":true,\"confidence\":60,\"created_by\":null,\"created_ts\":\"2021-04-06T09:56:22.915Z\",\"description\":null,\"expiration_ts\":\"9999-12-31T00:00:00.000Z\",\"feed_id\":0,\"id\":232020126,\"is_anonymous\":false,\"is_editable\":false,\"is_public\":true,\"itype\":\"apt_domain\",\"locations\":[],\"meta\":{\"detail2\":\"imported by user 136\",\"severity\":\"very-high\"},\"modified_ts\":\"2021-04-06T09:56:22.915Z\",\"org\":\"\",\"owner_organization_id\":67,\"rdns\":null,\"resource_uri\":\"/api/v2/intelligence/232020126/\",\"retina_confidence\":-1,\"sort\":[455403032],\"source\":\"Analyst\",\"source_locations\":[],\"source_reported_confidence\":60,\"status\":\"active\",\"subtype\":null,\"tags\":null,\"target_industry\":[],\"threat_type\":\"apt\",\"threatscore\":54,\"tlp\":null,\"trusted_circle_ids\":null,\"type\":\"domain\",\"update_id\":100000001,\"uuid\":\"0921be47-9cc2-4265-b896-c62a7cb91042\",\"value\":\"gen1xyz.com\",\"workgroups\":[]}", - "severity": 9, + "original": "{\"asn\":\"\",\"can_add_public_tags\":true,\"confidence\":12,\"created_by\":null,\"created_ts\":\"2021-04-29T16:00:35.529Z\",\"description\":null,\"expiration_ts\":\"9999-12-31T00:00:00.000Z\",\"feed_id\":0,\"id\":235548914,\"is_anonymous\":false,\"is_editable\":false,\"is_public\":true,\"itype\":\"apt_email\",\"locations\":[],\"meta\":{\"detail2\":\"imported by user 142\",\"severity\":\"medium\"},\"modified_ts\":\"2021-04-29T16:00:35.529Z\",\"org\":\"\",\"owner_organization_id\":70,\"rdns\":null,\"resource_uri\":\"/api/v2/intelligence/235548914/\",\"retina_confidence\":-1,\"sort\":[467407026],\"source\":\"Analyst\",\"source_locations\":[],\"source_reported_confidence\":12,\"status\":\"active\",\"subtype\":null,\"tags\":null,\"target_industry\":[],\"threat_type\":\"apt\",\"threatscore\":9,\"tlp\":null,\"trusted_circle_ids\":null,\"type\":\"email\",\"update_id\":100000002,\"uuid\":\"bc5a223e-f7a1-4acb-b50b-c81395e34218\",\"value\":\"edc2@wsx.com\",\"workgroups\":[]}", + "severity": 5, "type": [ "indicator" ] @@ -71,16 +71,16 @@ ], "threat": { "indicator": { - "confidence": "Medium", + "confidence": "Low", + "email": { + "address": "edc2@wsx.com" + }, "marking": { "tlp": "WHITE" }, - "modified_at": "2021-04-06T09:56:22.915Z", + "modified_at": "2021-04-29T16:00:35.529Z", "provider": "Analyst", - "type": "domain-name", - "url": { - "domain": "gen1xyz.com" - } + "type": "email-addr" } } -} \ No newline at end of file +} From 879aa336020748dc4070bab6732624c2bf292090 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 11:57:12 +0100 Subject: [PATCH 23/38] Remove commented field definition in sublime_security --- .../data_stream/email_message/fields/fields.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/packages/sublime_security/data_stream/email_message/fields/fields.yml b/packages/sublime_security/data_stream/email_message/fields/fields.yml index de19e8d284e..b9d0c300a09 100644 --- a/packages/sublime_security/data_stream/email_message/fields/fields.yml +++ b/packages/sublime_security/data_stream/email_message/fields/fields.yml @@ -641,13 +641,6 @@ - name: type type: keyword description: The type of authentication result, derived from the field name. - # https://github.com/elastic/kibana/pull/204104 - # Option 1: generate all keys as keywords under fields - # - name: fields - # type: object - # object_type: keyword - # object_type_mapping_type: "*" - # Option 2: keep position as long - name: fields type: group fields: @@ -655,7 +648,6 @@ type: object object_type: keyword - name: position - # description: ? type: long - name: index type: long From 849a22e8861f5a3af799d2081f988e4a62cfcf31 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 12:26:23 +0100 Subject: [PATCH 24/38] Update README - ti_anomali --- packages/ti_anomali/docs/README.md | 58 +++++++++++++++--------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/packages/ti_anomali/docs/README.md b/packages/ti_anomali/docs/README.md index 274cd88f7a4..3cd2c7a5dae 100644 --- a/packages/ti_anomali/docs/README.md +++ b/packages/ti_anomali/docs/README.md @@ -41,64 +41,64 @@ An example event for `intelligence` looks as following: ```json { - "@timestamp": "2024-10-02T16:04:31.789615115Z", + "@timestamp": "2025-02-12T10:26:45.318654640Z", "agent": { - "ephemeral_id": "bfe2b7b4-003a-49a1-b51b-e41ece98943b", - "id": "72cb3ab8-2baa-4ae5-9a62-ee752a56df42", - "name": "elastic-agent-85520", + "ephemeral_id": "434f328f-443d-4cd9-aad8-717d835a2312", + "id": "c48e3b22-841c-4ed3-ba7f-a039638b8e1b", + "name": "elastic-agent-54553", "type": "filebeat", - "version": "8.14.3" + "version": "8.13.0" }, "anomali": { "threatstream": { "can_add_public_tags": true, - "confidence": 60, - "deletion_scheduled_at": "2024-10-09T16:04:31.789615115Z", + "confidence": 12, + "deletion_scheduled_at": "2025-02-19T10:26:45.31865464Z", "expiration_ts": "9999-12-31T00:00:00.000Z", "feed_id": 0, - "id": "232020126", + "id": "235548914", "is_anonymous": false, "is_editable": false, "is_public": true, - "itype": "apt_domain", + "itype": "apt_email", "meta": { - "severity": "very-high" + "severity": "medium" }, - "owner_organization_id": 67, + "owner_organization_id": 70, "retina_confidence": -1, - "source_reported_confidence": 60, + "source_reported_confidence": 12, "status": "active", "threat_type": "apt", - "type": "domain", - "update_id": 100000001, - "uuid": "0921be47-9cc2-4265-b896-c62a7cb91042", - "value": "gen1xyz.com" + "type": "email", + "update_id": 100000002, + "uuid": "bc5a223e-f7a1-4acb-b50b-c81395e34218", + "value": "edc2@wsx.com" } }, "data_stream": { "dataset": "ti_anomali.intelligence", - "namespace": "49937", + "namespace": "29572", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "72cb3ab8-2baa-4ae5-9a62-ee752a56df42", + "id": "c48e3b22-841c-4ed3-ba7f-a039638b8e1b", "snapshot": false, - "version": "8.14.3" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2021-04-06T09:56:22.915Z", + "created": "2021-04-29T16:00:35.529Z", "dataset": "ti_anomali.intelligence", - "ingested": "2024-10-02T16:04:31Z", + "ingested": "2025-02-12T10:26:45Z", "kind": "enrichment", - "original": "{\"asn\":\"\",\"can_add_public_tags\":true,\"confidence\":60,\"created_by\":null,\"created_ts\":\"2021-04-06T09:56:22.915Z\",\"description\":null,\"expiration_ts\":\"9999-12-31T00:00:00.000Z\",\"feed_id\":0,\"id\":232020126,\"is_anonymous\":false,\"is_editable\":false,\"is_public\":true,\"itype\":\"apt_domain\",\"locations\":[],\"meta\":{\"detail2\":\"imported by user 136\",\"severity\":\"very-high\"},\"modified_ts\":\"2021-04-06T09:56:22.915Z\",\"org\":\"\",\"owner_organization_id\":67,\"rdns\":null,\"resource_uri\":\"/api/v2/intelligence/232020126/\",\"retina_confidence\":-1,\"sort\":[455403032],\"source\":\"Analyst\",\"source_locations\":[],\"source_reported_confidence\":60,\"status\":\"active\",\"subtype\":null,\"tags\":null,\"target_industry\":[],\"threat_type\":\"apt\",\"threatscore\":54,\"tlp\":null,\"trusted_circle_ids\":null,\"type\":\"domain\",\"update_id\":100000001,\"uuid\":\"0921be47-9cc2-4265-b896-c62a7cb91042\",\"value\":\"gen1xyz.com\",\"workgroups\":[]}", - "severity": 9, + "original": "{\"asn\":\"\",\"can_add_public_tags\":true,\"confidence\":12,\"created_by\":null,\"created_ts\":\"2021-04-29T16:00:35.529Z\",\"description\":null,\"expiration_ts\":\"9999-12-31T00:00:00.000Z\",\"feed_id\":0,\"id\":235548914,\"is_anonymous\":false,\"is_editable\":false,\"is_public\":true,\"itype\":\"apt_email\",\"locations\":[],\"meta\":{\"detail2\":\"imported by user 142\",\"severity\":\"medium\"},\"modified_ts\":\"2021-04-29T16:00:35.529Z\",\"org\":\"\",\"owner_organization_id\":70,\"rdns\":null,\"resource_uri\":\"/api/v2/intelligence/235548914/\",\"retina_confidence\":-1,\"sort\":[467407026],\"source\":\"Analyst\",\"source_locations\":[],\"source_reported_confidence\":12,\"status\":\"active\",\"subtype\":null,\"tags\":null,\"target_industry\":[],\"threat_type\":\"apt\",\"threatscore\":9,\"tlp\":null,\"trusted_circle_ids\":null,\"type\":\"email\",\"update_id\":100000002,\"uuid\":\"bc5a223e-f7a1-4acb-b50b-c81395e34218\",\"value\":\"edc2@wsx.com\",\"workgroups\":[]}", + "severity": 5, "type": [ "indicator" ] @@ -113,16 +113,16 @@ An example event for `intelligence` looks as following: ], "threat": { "indicator": { - "confidence": "Medium", + "confidence": "Low", + "email": { + "address": "edc2@wsx.com" + }, "marking": { "tlp": "WHITE" }, - "modified_at": "2021-04-06T09:56:22.915Z", + "modified_at": "2021-04-29T16:00:35.529Z", "provider": "Analyst", - "type": "domain-name", - "url": { - "domain": "gen1xyz.com" - } + "type": "email-addr" } } } From e1ec321827360c1ff6fbb587497adaeb376e3592 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 12:52:32 +0100 Subject: [PATCH 25/38] Update transform settings github --- .../elasticsearch/transform/latest_code_scanning/transform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml b/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml index 98c3544a6ed..a46e300f258 100644 --- a/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml +++ b/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml @@ -38,5 +38,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.0 + fleet_transform_version: 1.1.0 run_as_kibana_system: false From ae205795eb25de0a33c61fd023413d73d5b77b6c Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 12:52:41 +0100 Subject: [PATCH 26/38] Update transform settings ti_custom --- .../elasticsearch/transform/latest_ioc/transform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/ti_custom/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_custom/elasticsearch/transform/latest_ioc/transform.yml index 9689496118b..702b3f0353a 100644 --- a/packages/ti_custom/elasticsearch/transform/latest_ioc/transform.yml +++ b/packages/ti_custom/elasticsearch/transform/latest_ioc/transform.yml @@ -8,7 +8,7 @@ source: # us that ability in order to prevent having duplicate IoC data and prevent query # time field type conflicts. dest: - index: logs-ti_custom_latest.indicator-3 + index: logs-ti_custom_latest.indicator-4 aliases: - alias: logs-ti_custom_latest.indicator move_on_creation: true @@ -31,4 +31,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.4.0 + fleet_transform_version: 0.5.0 From 3fa66aa03d16f525aade08d642c2aa1f5b56816d Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 12:52:53 +0100 Subject: [PATCH 27/38] Update transform settings wiz --- .../transform/latest_cdr_misconfigurations/transform.yml | 4 ++-- .../transform/latest_cdr_vulnerabilities/transform.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml index 73f90c62902..ada52ed9b5f 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml @@ -2,7 +2,7 @@ source: index: - "logs-wiz.cloud_configuration_finding-*" dest: - index: "security_solution-wiz.misconfiguration_latest-v1" + index: "security_solution-wiz.misconfiguration_latest-v2" aliases: - alias: "security_solution-wiz.misconfiguration_latest" move_on_creation: true @@ -27,4 +27,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.1.0 + fleet_transform_version: 0.2.0 diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml index 2fba8c6c52b..0b83050b3e5 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -2,7 +2,7 @@ source: index: - "logs-wiz.vulnerability-*" dest: - index: "security_solution-wiz.vulnerability_latest-v1" + index: "security_solution-wiz.vulnerability_latest-v2" aliases: - alias: "security_solution-wiz.vulnerability_latest" move_on_creation: true @@ -29,4 +29,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.1.0 + fleet_transform_version: 0.2.0 From d18eaba6a7cc99e5117cc40de0828606db3f72af Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 12 Feb 2025 12:53:49 +0100 Subject: [PATCH 28/38] Update transform settings tychon Add missing tychon --- packages/tychon/elasticsearch/transform/arp/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/browser/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/ciphers/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/coams/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/cpu/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/cve/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/epp/transform.yml | 4 ++-- .../elasticsearch/transform/exposedservice/transform.yml | 4 ++-- .../transform/externaldevicecontrol/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/features/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/harddrive/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/hardware/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/host/transform.yml | 4 ++-- .../elasticsearch/transform/networkadapter/transform.yml | 4 ++-- .../elasticsearch/transform/softwareinventory/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/stig/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/systemcerts/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/volume/transform.yml | 4 ++-- 18 files changed, 36 insertions(+), 36 deletions(-) diff --git a/packages/tychon/elasticsearch/transform/arp/transform.yml b/packages/tychon/elasticsearch/transform/arp/transform.yml index 139bf316d72..2a218aa49db 100644 --- a/packages/tychon/elasticsearch/transform/arp/transform.yml +++ b/packages/tychon/elasticsearch/transform/arp/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_arp-1" + index: "logs-tychon_latest.dest_arp-2" aliases: - alias: "logs-tychon_latest.arp" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/browser/transform.yml b/packages/tychon/elasticsearch/transform/browser/transform.yml index 4a27465d74a..5b8a2f87eeb 100644 --- a/packages/tychon/elasticsearch/transform/browser/transform.yml +++ b/packages/tychon/elasticsearch/transform/browser/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_browser-1" + index: "logs-tychon_latest.dest_browser-2" aliases: - alias: "logs-tychon_latest.browser" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/ciphers/transform.yml b/packages/tychon/elasticsearch/transform/ciphers/transform.yml index c25c681b4cd..d475a7b7a45 100644 --- a/packages/tychon/elasticsearch/transform/ciphers/transform.yml +++ b/packages/tychon/elasticsearch/transform/ciphers/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_ciphers-1" + index: "logs-tychon_latest.dest_ciphers-2" aliases: - alias: "logs-tychon_latest.ciphers" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/coams/transform.yml b/packages/tychon/elasticsearch/transform/coams/transform.yml index 52f022e58ea..49ca2fdffb3 100644 --- a/packages/tychon/elasticsearch/transform/coams/transform.yml +++ b/packages/tychon/elasticsearch/transform/coams/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_coams-1" + index: "logs-tychon_latest.dest_coams-2" aliases: - alias: "logs-tychon_latest.coams" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/cpu/transform.yml b/packages/tychon/elasticsearch/transform/cpu/transform.yml index 9f5abe4a6ca..03a9101ad3d 100644 --- a/packages/tychon/elasticsearch/transform/cpu/transform.yml +++ b/packages/tychon/elasticsearch/transform/cpu/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_cpu-1" + index: "logs-tychon_latest.dest_cpu-2" aliases: - alias: "logs-tychon_latest.cpu" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/cve/transform.yml b/packages/tychon/elasticsearch/transform/cve/transform.yml index 8bdd3b5a952..42f59496c5e 100644 --- a/packages/tychon/elasticsearch/transform/cve/transform.yml +++ b/packages/tychon/elasticsearch/transform/cve/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_cve-1" + index: "logs-tychon_latest.dest_cve-2" aliases: - alias: "logs-tychon_latest.cve" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/epp/transform.yml b/packages/tychon/elasticsearch/transform/epp/transform.yml index bf5603445dc..128a0ea76e2 100644 --- a/packages/tychon/elasticsearch/transform/epp/transform.yml +++ b/packages/tychon/elasticsearch/transform/epp/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_epp-1" + index: "logs-tychon_latest.dest_epp-2" aliases: - alias: "logs-tychon_latest.epp" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/exposedservice/transform.yml b/packages/tychon/elasticsearch/transform/exposedservice/transform.yml index 86746797742..69b54d7529f 100644 --- a/packages/tychon/elasticsearch/transform/exposedservice/transform.yml +++ b/packages/tychon/elasticsearch/transform/exposedservice/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_exposedservice-1" + index: "logs-tychon_latest.dest_exposedservice-2" aliases: - alias: "logs-tychon_latest.exposedservice" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/externaldevicecontrol/transform.yml b/packages/tychon/elasticsearch/transform/externaldevicecontrol/transform.yml index dbac8248a39..1ec156718de 100644 --- a/packages/tychon/elasticsearch/transform/externaldevicecontrol/transform.yml +++ b/packages/tychon/elasticsearch/transform/externaldevicecontrol/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_externaldevicecontrol-1" + index: "logs-tychon_latest.dest_externaldevicecontrol-2" aliases: - alias: "logs-tychon_latest.externaldevicecontrol" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/features/transform.yml b/packages/tychon/elasticsearch/transform/features/transform.yml index 367259ad4b4..c36b97ae592 100644 --- a/packages/tychon/elasticsearch/transform/features/transform.yml +++ b/packages/tychon/elasticsearch/transform/features/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_features-1" + index: "logs-tychon_latest.dest_features-2" aliases: - alias: "logs-tychon_latest.features" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/harddrive/transform.yml b/packages/tychon/elasticsearch/transform/harddrive/transform.yml index 724063ddea6..138c9fdd5a8 100644 --- a/packages/tychon/elasticsearch/transform/harddrive/transform.yml +++ b/packages/tychon/elasticsearch/transform/harddrive/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_harddrive-1" + index: "logs-tychon_latest.dest_harddrive-2" aliases: - alias: "logs-tychon_latest.harddrive" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/hardware/transform.yml b/packages/tychon/elasticsearch/transform/hardware/transform.yml index 8351cb2ff8e..adebabf5456 100644 --- a/packages/tychon/elasticsearch/transform/hardware/transform.yml +++ b/packages/tychon/elasticsearch/transform/hardware/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_hardware-1" + index: "logs-tychon_latest.dest_hardware-2" aliases: - alias: "logs-tychon_latest.hardware" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/host/transform.yml b/packages/tychon/elasticsearch/transform/host/transform.yml index fb32ac5b45b..d83e6d9a6c6 100644 --- a/packages/tychon/elasticsearch/transform/host/transform.yml +++ b/packages/tychon/elasticsearch/transform/host/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_host-1" + index: "logs-tychon_latest.dest_host-2" aliases: - alias: "logs-tychon_latest.host" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/networkadapter/transform.yml b/packages/tychon/elasticsearch/transform/networkadapter/transform.yml index 129312df22a..69aa87c4201 100644 --- a/packages/tychon/elasticsearch/transform/networkadapter/transform.yml +++ b/packages/tychon/elasticsearch/transform/networkadapter/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_networkadapter-1" + index: "logs-tychon_latest.dest_networkadapter-2" aliases: - alias: "logs-tychon_latest.networkadapter" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/softwareinventory/transform.yml b/packages/tychon/elasticsearch/transform/softwareinventory/transform.yml index 68cccbba47a..c714a0babb4 100644 --- a/packages/tychon/elasticsearch/transform/softwareinventory/transform.yml +++ b/packages/tychon/elasticsearch/transform/softwareinventory/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_softwareinventory-1" + index: "logs-tychon_latest.dest_softwareinventory-2" aliases: - alias: "logs-tychon_latest.softwareinventory" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/stig/transform.yml b/packages/tychon/elasticsearch/transform/stig/transform.yml index ee2aabde49a..01edc2afd6c 100644 --- a/packages/tychon/elasticsearch/transform/stig/transform.yml +++ b/packages/tychon/elasticsearch/transform/stig/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_stig-1" + index: "logs-tychon_latest.dest_stig-2" aliases: - alias: "logs-tychon_latest.stig" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/systemcerts/transform.yml b/packages/tychon/elasticsearch/transform/systemcerts/transform.yml index 54dbf998180..c2e448f463b 100644 --- a/packages/tychon/elasticsearch/transform/systemcerts/transform.yml +++ b/packages/tychon/elasticsearch/transform/systemcerts/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_systemcerts-1" + index: "logs-tychon_latest.dest_systemcerts-2" aliases: - alias: "logs-tychon_latest.systemcerts" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/volume/transform.yml b/packages/tychon/elasticsearch/transform/volume/transform.yml index 3719b19a272..d8a1c63398a 100644 --- a/packages/tychon/elasticsearch/transform/volume/transform.yml +++ b/packages/tychon/elasticsearch/transform/volume/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_volume-1" + index: "logs-tychon_latest.dest_volume-2" aliases: - alias: "logs-tychon_latest.volume" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.0.1 + fleet_transform_version: 1.1.0 run_as_kibana_system: false From 3ed832dc06cf70ba31ebd57a1807b0926e43d5d7 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Fri, 14 Feb 2025 12:04:24 +0100 Subject: [PATCH 29/38] Update description for headers.hops.fields.position field --- .../data_stream/email_message/fields/fields.yml | 1 + packages/sublime_security/docs/README.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/sublime_security/data_stream/email_message/fields/fields.yml b/packages/sublime_security/data_stream/email_message/fields/fields.yml index b9d0c300a09..727ff19fe1d 100644 --- a/packages/sublime_security/data_stream/email_message/fields/fields.yml +++ b/packages/sublime_security/data_stream/email_message/fields/fields.yml @@ -648,6 +648,7 @@ type: object object_type: keyword - name: position + description: This field's position along the entire list of header fields. type: long - name: index type: long diff --git a/packages/sublime_security/docs/README.md b/packages/sublime_security/docs/README.md index 23a1776031b..7c1a7487030 100644 --- a/packages/sublime_security/docs/README.md +++ b/packages/sublime_security/docs/README.md @@ -1223,7 +1223,7 @@ An example event for `email_message` looks as following: | sublime_security.email_message.headers.hops.authentication_results.spf_details.verdict | Verdict of the SPF. | keyword | | sublime_security.email_message.headers.hops.authentication_results.type | The type of authentication result, derived from the field name. | keyword | | sublime_security.email_message.headers.hops.fields.\* | | object | -| sublime_security.email_message.headers.hops.fields.position | | long | +| sublime_security.email_message.headers.hops.fields.position | This field's position along the entire list of header fields. | long | | sublime_security.email_message.headers.hops.index | Index indicates the order in which a hop occurred from sender to recipient. | long | | sublime_security.email_message.headers.hops.received.additional.raw | The raw string for remaining additional clauses, such as transport information. | keyword | | sublime_security.email_message.headers.hops.received.id.raw | The raw string of 'id' section. | keyword | From 695555ed5874ba50f45189974aad5fd8ea573b13 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 19 Feb 2025 15:39:25 +0100 Subject: [PATCH 30/38] Revert changes in wiz - moved to #12841 --- packages/wiz/changelog.yml | 5 ----- .../latest_cdr_misconfigurations/fields/ecs.yml | 4 ---- .../latest_cdr_misconfigurations/transform.yml | 4 ++-- .../latest_cdr_vulnerabilities/fields/fields.yml | 12 ------------ .../latest_cdr_vulnerabilities/transform.yml | 4 ++-- packages/wiz/manifest.yml | 2 +- 6 files changed, 5 insertions(+), 26 deletions(-) diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 8911cf146d8..71534fea24e 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,9 +1,4 @@ # newer versions go on top -- version: "2.8.2" - changes: - - description: Add missing field mappings in transforms. - type: bugfix - link: http://github.com/elastic/integrations/pull/12624 - version: "2.8.1" changes: - description: Updated SSL description in package manifest.yml to be uniform and to include links to documentation. diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml index 4cb860dea83..291b675502b 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml @@ -28,7 +28,3 @@ external: ecs - name: observer.vendor external: ecs -- name: message - external: ecs -- name: ecs.version - external: ecs diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml index ada52ed9b5f..73f90c62902 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml @@ -2,7 +2,7 @@ source: index: - "logs-wiz.cloud_configuration_finding-*" dest: - index: "security_solution-wiz.misconfiguration_latest-v2" + index: "security_solution-wiz.misconfiguration_latest-v1" aliases: - alias: "security_solution-wiz.misconfiguration_latest" move_on_creation: true @@ -27,4 +27,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.2.0 + fleet_transform_version: 0.1.0 diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml index b7c6b004465..38aa91efa9e 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -6,8 +6,6 @@ external: ecs - name: cloud.region external: ecs -- name: device.id - external: ecs - name: package.name external: ecs - name: package.version @@ -16,8 +14,6 @@ external: ecs - name: vulnerability.id external: ecs -- name: vulnerability.reference - external: ecs - name: vulnerability.score.base external: ecs - name: vulnerability.score.version @@ -38,14 +34,6 @@ external: ecs - name: event.type external: ecs -- name: ecs.version - external: ecs -- name: tags - external: ecs -- name: related.ip - external: ecs # should it be keyword instead of IP ? Would this be breaking change? -- name: message - external: ecs - name: observer.vendor external: ecs - name: wiz diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml index 0b83050b3e5..2fba8c6c52b 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -2,7 +2,7 @@ source: index: - "logs-wiz.vulnerability-*" dest: - index: "security_solution-wiz.vulnerability_latest-v2" + index: "security_solution-wiz.vulnerability_latest-v1" aliases: - alias: "security_solution-wiz.vulnerability_latest" move_on_creation: true @@ -29,4 +29,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.2.0 + fleet_transform_version: 0.1.0 diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index 557ef717a4b..1eb68e960da 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: wiz title: Wiz -version: "2.8.2" +version: "2.8.1" description: Collect logs from Wiz with Elastic Agent. type: integration categories: From c5f2640bf855b7d4f91a7168259fe0d6b5f5529f Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 19 Feb 2025 15:41:32 +0100 Subject: [PATCH 31/38] Revert changes in tychon - moved to #12841 --- packages/tychon/changelog.yml | 5 ----- packages/tychon/elasticsearch/transform/arp/fields/ecs.yml | 2 -- packages/tychon/elasticsearch/transform/arp/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/browser/fields/ecs.yml | 2 -- .../tychon/elasticsearch/transform/browser/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/ciphers/fields/ecs.yml | 4 ---- .../tychon/elasticsearch/transform/ciphers/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/coams/fields/ecs.yml | 2 -- packages/tychon/elasticsearch/transform/coams/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml | 2 -- packages/tychon/elasticsearch/transform/cpu/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/cve/fields/ecs.yml | 2 -- packages/tychon/elasticsearch/transform/cve/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/epp/fields/ecs.yml | 2 -- packages/tychon/elasticsearch/transform/epp/transform.yml | 4 ++-- .../elasticsearch/transform/exposedservice/fields/ecs.yml | 2 -- .../elasticsearch/transform/exposedservice/transform.yml | 4 ++-- .../transform/externaldevicecontrol/fields/ecs.yml | 2 -- .../transform/externaldevicecontrol/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/features/fields/ecs.yml | 2 -- .../tychon/elasticsearch/transform/features/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/harddrive/fields/ecs.yml | 2 -- .../tychon/elasticsearch/transform/harddrive/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/hardware/fields/ecs.yml | 2 -- .../tychon/elasticsearch/transform/hardware/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/host/fields/ecs.yml | 2 -- packages/tychon/elasticsearch/transform/host/transform.yml | 4 ++-- .../elasticsearch/transform/networkadapter/fields/ecs.yml | 2 -- .../elasticsearch/transform/networkadapter/transform.yml | 4 ++-- .../elasticsearch/transform/softwareinventory/fields/ecs.yml | 2 -- .../elasticsearch/transform/softwareinventory/transform.yml | 4 ++-- packages/tychon/elasticsearch/transform/stig/fields/ecs.yml | 2 -- packages/tychon/elasticsearch/transform/stig/transform.yml | 4 ++-- .../elasticsearch/transform/systemcerts/fields/ecs.yml | 2 -- .../tychon/elasticsearch/transform/systemcerts/transform.yml | 4 ++-- .../tychon/elasticsearch/transform/volume/fields/ecs.yml | 2 -- packages/tychon/elasticsearch/transform/volume/transform.yml | 4 ++-- packages/tychon/manifest.yml | 2 +- 38 files changed, 37 insertions(+), 80 deletions(-) diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml index 15d25a0b78e..67b3945590c 100644 --- a/packages/tychon/changelog.yml +++ b/packages/tychon/changelog.yml @@ -1,8 +1,3 @@ -- version: "0.2.2" - changes: - - description: Add missing field mappings in transforms. - type: bugfix - link: http://github.com/elastic/integrations/pull/12624 - version: "0.2.1" changes: - description: Fix broken links in Security Service integrations packages. diff --git a/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml b/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml index 4e57f8022fd..4e9268e07b5 100644 --- a/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml @@ -68,5 +68,3 @@ name: network.type - external: ecs name: tags -- external: ecs - name: related.ip # should it be kept as keyword instead of IP ? Would that be a breaking change? diff --git a/packages/tychon/elasticsearch/transform/arp/transform.yml b/packages/tychon/elasticsearch/transform/arp/transform.yml index 2a218aa49db..139bf316d72 100644 --- a/packages/tychon/elasticsearch/transform/arp/transform.yml +++ b/packages/tychon/elasticsearch/transform/arp/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_arp-2" + index: "logs-tychon_latest.dest_arp-1" aliases: - alias: "logs-tychon_latest.arp" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/browser/fields/ecs.yml b/packages/tychon/elasticsearch/transform/browser/fields/ecs.yml index bb8fd831b87..48cfb3f77fc 100644 --- a/packages/tychon/elasticsearch/transform/browser/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/browser/fields/ecs.yml @@ -80,5 +80,3 @@ name: tags - external: ecs name: tls.version_protocol -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/browser/transform.yml b/packages/tychon/elasticsearch/transform/browser/transform.yml index 5b8a2f87eeb..4a27465d74a 100644 --- a/packages/tychon/elasticsearch/transform/browser/transform.yml +++ b/packages/tychon/elasticsearch/transform/browser/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_browser-2" + index: "logs-tychon_latest.dest_browser-1" aliases: - alias: "logs-tychon_latest.browser" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/ciphers/fields/ecs.yml b/packages/tychon/elasticsearch/transform/ciphers/fields/ecs.yml index 0918c087d6b..2c27a702b35 100644 --- a/packages/tychon/elasticsearch/transform/ciphers/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/ciphers/fields/ecs.yml @@ -96,8 +96,6 @@ name: process.user.name - external: ecs name: server.address -- external: ecs - name: server.ip # previously it was set as keyword but now it would be type IP, would that be a breaking change? - external: ecs name: server.port - external: ecs @@ -110,5 +108,3 @@ name: tls.client.supported_ciphers - external: ecs name: url.full -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/ciphers/transform.yml b/packages/tychon/elasticsearch/transform/ciphers/transform.yml index d475a7b7a45..c25c681b4cd 100644 --- a/packages/tychon/elasticsearch/transform/ciphers/transform.yml +++ b/packages/tychon/elasticsearch/transform/ciphers/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_ciphers-2" + index: "logs-tychon_latest.dest_ciphers-1" aliases: - alias: "logs-tychon_latest.ciphers" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/coams/fields/ecs.yml b/packages/tychon/elasticsearch/transform/coams/fields/ecs.yml index 5cdec45a982..31a7235135f 100644 --- a/packages/tychon/elasticsearch/transform/coams/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/coams/fields/ecs.yml @@ -60,5 +60,3 @@ name: log.file.path - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/coams/transform.yml b/packages/tychon/elasticsearch/transform/coams/transform.yml index 49ca2fdffb3..52f022e58ea 100644 --- a/packages/tychon/elasticsearch/transform/coams/transform.yml +++ b/packages/tychon/elasticsearch/transform/coams/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_coams-2" + index: "logs-tychon_latest.dest_coams-1" aliases: - alias: "logs-tychon_latest.coams" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml index 5cdec45a982..31a7235135f 100644 --- a/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml @@ -60,5 +60,3 @@ name: log.file.path - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/cpu/transform.yml b/packages/tychon/elasticsearch/transform/cpu/transform.yml index 03a9101ad3d..9f5abe4a6ca 100644 --- a/packages/tychon/elasticsearch/transform/cpu/transform.yml +++ b/packages/tychon/elasticsearch/transform/cpu/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_cpu-2" + index: "logs-tychon_latest.dest_cpu-1" aliases: - alias: "logs-tychon_latest.cpu" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/cve/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve/fields/ecs.yml index c3ff3d48d04..e079a962770 100644 --- a/packages/tychon/elasticsearch/transform/cve/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/cve/fields/ecs.yml @@ -84,5 +84,3 @@ name: vulnerability.score.version - external: ecs name: vulnerability.severity -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/cve/transform.yml b/packages/tychon/elasticsearch/transform/cve/transform.yml index 42f59496c5e..8bdd3b5a952 100644 --- a/packages/tychon/elasticsearch/transform/cve/transform.yml +++ b/packages/tychon/elasticsearch/transform/cve/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_cve-2" + index: "logs-tychon_latest.dest_cve-1" aliases: - alias: "logs-tychon_latest.cve" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml b/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml index bc51fe56fe4..7d45d9509be 100644 --- a/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml @@ -70,5 +70,3 @@ name: package.type - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/epp/transform.yml b/packages/tychon/elasticsearch/transform/epp/transform.yml index 128a0ea76e2..bf5603445dc 100644 --- a/packages/tychon/elasticsearch/transform/epp/transform.yml +++ b/packages/tychon/elasticsearch/transform/epp/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_epp-2" + index: "logs-tychon_latest.dest_epp-1" aliases: - alias: "logs-tychon_latest.epp" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/exposedservice/fields/ecs.yml b/packages/tychon/elasticsearch/transform/exposedservice/fields/ecs.yml index c94861ccf34..0bfdefbb6c4 100644 --- a/packages/tychon/elasticsearch/transform/exposedservice/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/exposedservice/fields/ecs.yml @@ -86,5 +86,3 @@ name: tags - external: ecs name: user.name -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/exposedservice/transform.yml b/packages/tychon/elasticsearch/transform/exposedservice/transform.yml index 69b54d7529f..86746797742 100644 --- a/packages/tychon/elasticsearch/transform/exposedservice/transform.yml +++ b/packages/tychon/elasticsearch/transform/exposedservice/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_exposedservice-2" + index: "logs-tychon_latest.dest_exposedservice-1" aliases: - alias: "logs-tychon_latest.exposedservice" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/externaldevicecontrol/fields/ecs.yml b/packages/tychon/elasticsearch/transform/externaldevicecontrol/fields/ecs.yml index 7f69b33c3c4..22e6faaced3 100644 --- a/packages/tychon/elasticsearch/transform/externaldevicecontrol/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/externaldevicecontrol/fields/ecs.yml @@ -64,5 +64,3 @@ name: log.file.path - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/externaldevicecontrol/transform.yml b/packages/tychon/elasticsearch/transform/externaldevicecontrol/transform.yml index 1ec156718de..dbac8248a39 100644 --- a/packages/tychon/elasticsearch/transform/externaldevicecontrol/transform.yml +++ b/packages/tychon/elasticsearch/transform/externaldevicecontrol/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_externaldevicecontrol-2" + index: "logs-tychon_latest.dest_externaldevicecontrol-1" aliases: - alias: "logs-tychon_latest.externaldevicecontrol" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/features/fields/ecs.yml b/packages/tychon/elasticsearch/transform/features/fields/ecs.yml index bc51fe56fe4..7d45d9509be 100644 --- a/packages/tychon/elasticsearch/transform/features/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/features/fields/ecs.yml @@ -70,5 +70,3 @@ name: package.type - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/features/transform.yml b/packages/tychon/elasticsearch/transform/features/transform.yml index c36b97ae592..367259ad4b4 100644 --- a/packages/tychon/elasticsearch/transform/features/transform.yml +++ b/packages/tychon/elasticsearch/transform/features/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_features-2" + index: "logs-tychon_latest.dest_features-1" aliases: - alias: "logs-tychon_latest.features" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/harddrive/fields/ecs.yml b/packages/tychon/elasticsearch/transform/harddrive/fields/ecs.yml index 634e60533fa..31a7235135f 100644 --- a/packages/tychon/elasticsearch/transform/harddrive/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/harddrive/fields/ecs.yml @@ -60,5 +60,3 @@ name: log.file.path - external: ecs name: tags -- external: ecs - name: related.ip # previously it was set as keyword but now it would be type IP, would that be a breaking change? diff --git a/packages/tychon/elasticsearch/transform/harddrive/transform.yml b/packages/tychon/elasticsearch/transform/harddrive/transform.yml index 138c9fdd5a8..724063ddea6 100644 --- a/packages/tychon/elasticsearch/transform/harddrive/transform.yml +++ b/packages/tychon/elasticsearch/transform/harddrive/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_harddrive-2" + index: "logs-tychon_latest.dest_harddrive-1" aliases: - alias: "logs-tychon_latest.harddrive" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml b/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml index 105db0e2f56..dafa90e8982 100644 --- a/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml @@ -66,5 +66,3 @@ name: log.file.path - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/hardware/transform.yml b/packages/tychon/elasticsearch/transform/hardware/transform.yml index adebabf5456..8351cb2ff8e 100644 --- a/packages/tychon/elasticsearch/transform/hardware/transform.yml +++ b/packages/tychon/elasticsearch/transform/hardware/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_hardware-2" + index: "logs-tychon_latest.dest_hardware-1" aliases: - alias: "logs-tychon_latest.hardware" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/host/fields/ecs.yml b/packages/tychon/elasticsearch/transform/host/fields/ecs.yml index 36626e11ce6..857122fb420 100644 --- a/packages/tychon/elasticsearch/transform/host/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/host/fields/ecs.yml @@ -32,5 +32,3 @@ name: log.file.path - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/host/transform.yml b/packages/tychon/elasticsearch/transform/host/transform.yml index d83e6d9a6c6..fb32ac5b45b 100644 --- a/packages/tychon/elasticsearch/transform/host/transform.yml +++ b/packages/tychon/elasticsearch/transform/host/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_host-2" + index: "logs-tychon_latest.dest_host-1" aliases: - alias: "logs-tychon_latest.host" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/networkadapter/fields/ecs.yml b/packages/tychon/elasticsearch/transform/networkadapter/fields/ecs.yml index db2562fe89e..2ac6aff0189 100644 --- a/packages/tychon/elasticsearch/transform/networkadapter/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/networkadapter/fields/ecs.yml @@ -32,5 +32,3 @@ name: log.file.path - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/networkadapter/transform.yml b/packages/tychon/elasticsearch/transform/networkadapter/transform.yml index 69aa87c4201..129312df22a 100644 --- a/packages/tychon/elasticsearch/transform/networkadapter/transform.yml +++ b/packages/tychon/elasticsearch/transform/networkadapter/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_networkadapter-2" + index: "logs-tychon_latest.dest_networkadapter-1" aliases: - alias: "logs-tychon_latest.networkadapter" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/softwareinventory/fields/ecs.yml b/packages/tychon/elasticsearch/transform/softwareinventory/fields/ecs.yml index 1c3d6ba1689..b4846edeb05 100644 --- a/packages/tychon/elasticsearch/transform/softwareinventory/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/softwareinventory/fields/ecs.yml @@ -76,5 +76,3 @@ name: package.version - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/softwareinventory/transform.yml b/packages/tychon/elasticsearch/transform/softwareinventory/transform.yml index c714a0babb4..68cccbba47a 100644 --- a/packages/tychon/elasticsearch/transform/softwareinventory/transform.yml +++ b/packages/tychon/elasticsearch/transform/softwareinventory/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_softwareinventory-2" + index: "logs-tychon_latest.dest_softwareinventory-1" aliases: - alias: "logs-tychon_latest.softwareinventory" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml b/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml index 628c74118ed..464da8ce398 100644 --- a/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml @@ -74,5 +74,3 @@ name: rule.name - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/stig/transform.yml b/packages/tychon/elasticsearch/transform/stig/transform.yml index 01edc2afd6c..ee2aabde49a 100644 --- a/packages/tychon/elasticsearch/transform/stig/transform.yml +++ b/packages/tychon/elasticsearch/transform/stig/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_stig-2" + index: "logs-tychon_latest.dest_stig-1" aliases: - alias: "logs-tychon_latest.stig" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/systemcerts/fields/ecs.yml b/packages/tychon/elasticsearch/transform/systemcerts/fields/ecs.yml index f7a8ed20a47..f0f7dede28a 100644 --- a/packages/tychon/elasticsearch/transform/systemcerts/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/systemcerts/fields/ecs.yml @@ -106,5 +106,3 @@ name: tags - external: ecs name: url.full -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/systemcerts/transform.yml b/packages/tychon/elasticsearch/transform/systemcerts/transform.yml index c2e448f463b..54dbf998180 100644 --- a/packages/tychon/elasticsearch/transform/systemcerts/transform.yml +++ b/packages/tychon/elasticsearch/transform/systemcerts/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_systemcerts-2" + index: "logs-tychon_latest.dest_systemcerts-1" aliases: - alias: "logs-tychon_latest.systemcerts" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml b/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml index 5cdec45a982..31a7235135f 100644 --- a/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml +++ b/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml @@ -60,5 +60,3 @@ name: log.file.path - external: ecs name: tags -- external: ecs - name: related.ip diff --git a/packages/tychon/elasticsearch/transform/volume/transform.yml b/packages/tychon/elasticsearch/transform/volume/transform.yml index d8a1c63398a..3719b19a272 100644 --- a/packages/tychon/elasticsearch/transform/volume/transform.yml +++ b/packages/tychon/elasticsearch/transform/volume/transform.yml @@ -15,7 +15,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-tychon_latest.dest_volume-2" + index: "logs-tychon_latest.dest_volume-1" aliases: - alias: "logs-tychon_latest.volume" move_on_creation: true @@ -39,5 +39,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.1 run_as_kibana_system: false diff --git a/packages/tychon/manifest.yml b/packages/tychon/manifest.yml index 8f019d5d7db..678f6f54bee 100644 --- a/packages/tychon/manifest.yml +++ b/packages/tychon/manifest.yml @@ -2,7 +2,7 @@ format_version: 3.2.2 name: tychon type: integration title: "TYCHON Agentless" -version: 0.2.2 +version: 0.2.1 source: license: "Elastic-2.0" description: Collect complete master endpoint datasets including vulnerability and STIG to comply with DISA endpoint requirements and C2C without adding services to your endpoints. From 689eb49e8766ec0421d360437fa798fbb9358404 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 19 Feb 2025 15:42:00 +0100 Subject: [PATCH 32/38] Revert changes in ti_custom - moved to #12841 --- packages/ti_custom/changelog.yml | 5 ----- .../elasticsearch/transform/latest_ioc/fields/ecs.yml | 2 -- .../elasticsearch/transform/latest_ioc/transform.yml | 4 ++-- packages/ti_custom/manifest.yml | 2 +- 4 files changed, 3 insertions(+), 10 deletions(-) diff --git a/packages/ti_custom/changelog.yml b/packages/ti_custom/changelog.yml index 2309a48041c..6c8d5550a79 100644 --- a/packages/ti_custom/changelog.yml +++ b/packages/ti_custom/changelog.yml @@ -1,9 +1,4 @@ # newer versions go on top -- version: "0.8.1" - changes: - - description: Add mapping for threat.indicator.url.original in transform. - type: bugfix - link: http://github.com/elastic/integrations/pull/12624 - version: "0.8.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml index 3e947dce788..e67b0f76c91 100644 --- a/packages/ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml +++ b/packages/ti_custom/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -42,8 +42,6 @@ type: keyword - name: threat.indicator.url.full type: keyword -- name: threat.indicator.url.original - type: wildcard # Below fields to be moved into base-fields.yml after kibana.version changed to >= 8.14 # Related to fix: https://github.com/elastic/kibana/pull/177608 - name: event.module diff --git a/packages/ti_custom/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_custom/elasticsearch/transform/latest_ioc/transform.yml index 702b3f0353a..9689496118b 100644 --- a/packages/ti_custom/elasticsearch/transform/latest_ioc/transform.yml +++ b/packages/ti_custom/elasticsearch/transform/latest_ioc/transform.yml @@ -8,7 +8,7 @@ source: # us that ability in order to prevent having duplicate IoC data and prevent query # time field type conflicts. dest: - index: logs-ti_custom_latest.indicator-4 + index: logs-ti_custom_latest.indicator-3 aliases: - alias: logs-ti_custom_latest.indicator move_on_creation: true @@ -31,4 +31,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.5.0 + fleet_transform_version: 0.4.0 diff --git a/packages/ti_custom/manifest.yml b/packages/ti_custom/manifest.yml index 05307a2cc43..6631d5149d9 100644 --- a/packages/ti_custom/manifest.yml +++ b/packages/ti_custom/manifest.yml @@ -3,7 +3,7 @@ name: ti_custom title: Custom Threat Intelligence description: Ingest threat intelligence data in STIX 2.1 format with Elastic Agent type: integration -version: 0.8.1 +version: 0.8.0 categories: - custom - security From c96630c23e2aa6f94fcfc62273881aeddda9a2ba Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 19 Feb 2025 15:42:44 +0100 Subject: [PATCH 33/38] Revert changes in github - moved to #12841 --- packages/github/changelog.yml | 5 ----- .../transform/latest_code_scanning/fields/ecs.yml | 2 -- .../transform/latest_code_scanning/transform.yml | 4 ++-- packages/github/manifest.yml | 2 +- 4 files changed, 3 insertions(+), 10 deletions(-) diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index 3ae93a80b6c..553356b5022 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,9 +1,4 @@ # newer versions go on top -- version: "2.3.2" - changes: - - description: Add missing ECS field in latest_code_scanning transform. - type: bugfix - link: http://github.com/elastic/integrations/pull/12624 - version: "2.3.1" changes: - description: Updated SSL description to be uniform and to include links to documentation. diff --git a/packages/github/elasticsearch/transform/latest_code_scanning/fields/ecs.yml b/packages/github/elasticsearch/transform/latest_code_scanning/fields/ecs.yml index d3155a2d1cd..8cfb2793292 100644 --- a/packages/github/elasticsearch/transform/latest_code_scanning/fields/ecs.yml +++ b/packages/github/elasticsearch/transform/latest_code_scanning/fields/ecs.yml @@ -38,5 +38,3 @@ name: rule.name - external: ecs name: tags -- external: ecs - name: message diff --git a/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml b/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml index a46e300f258..06958284992 100644 --- a/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml +++ b/packages/github/elasticsearch/transform/latest_code_scanning/transform.yml @@ -10,7 +10,7 @@ source: # that ability in order to prevent having duplicate data and prevent query # time field type conflicts. dest: - index: "logs-github_latest.dest_code_scanning-2" + index: "logs-github_latest.dest_code_scanning-1" aliases: - alias: "logs-github_latest.code_scanning" move_on_creation: true @@ -38,5 +38,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.0.0 run_as_kibana_system: false diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index 7719685878d..2077caa4370 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,6 +1,6 @@ name: github title: GitHub -version: "2.3.2" +version: "2.3.1" description: Collect logs from GitHub with Elastic Agent. type: integration format_version: "3.0.2" From 994e14477da58b54e5aea924d13857dd004fdffc Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 19 Feb 2025 15:48:17 +0100 Subject: [PATCH 34/38] Update set of packages to test --- .buildkite/scripts/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh index 386e0fba6c8..46f3190ce2b 100755 --- a/.buildkite/scripts/common.sh +++ b/.buildkite/scripts/common.sh @@ -757,7 +757,7 @@ teardown_test_package() { } list_all_directories() { - find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort |grep -E '^(box_events|claroty_ctd|crowdstrike|github|mimecast|sublime_security|teleport|ti_anomali|ti_custom|tychon|wiz)$' + find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort |grep -E '^(box_events|claroty_ctd|crowdstrike|mimecast|sublime_security|teleport|ti_anomali)$' } check_package() { From a21024c30473527a0ccc7380214dd9d9466fb18e Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 19 Feb 2025 18:41:26 +0100 Subject: [PATCH 35/38] Teleport - Ensure system tests wait to be ingestd all test docs/logs --- .../audit/_dev/test/system/test-filestream-config.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/teleport/data_stream/audit/_dev/test/system/test-filestream-config.yml b/packages/teleport/data_stream/audit/_dev/test/system/test-filestream-config.yml index f36cf09624a..0f10a5059cc 100644 --- a/packages/teleport/data_stream/audit/_dev/test/system/test-filestream-config.yml +++ b/packages/teleport/data_stream/audit/_dev/test/system/test-filestream-config.yml @@ -11,3 +11,5 @@ numeric_keyword_fields: - log.file.idxhi - log.file.idxlo - log.file.vol +assert: + hit_count: 270 From 9283cd30630ef4962c608051914935df9009d90a Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 20 Feb 2025 12:22:44 +0100 Subject: [PATCH 36/38] Remove changes from teleport - moved to #12851 --- .../test/system/test-filestream-config.yml | 2 -- .../ingest_pipeline/event-groups.yml | 18 +----------------- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/packages/teleport/data_stream/audit/_dev/test/system/test-filestream-config.yml b/packages/teleport/data_stream/audit/_dev/test/system/test-filestream-config.yml index 0f10a5059cc..f36cf09624a 100644 --- a/packages/teleport/data_stream/audit/_dev/test/system/test-filestream-config.yml +++ b/packages/teleport/data_stream/audit/_dev/test/system/test-filestream-config.yml @@ -11,5 +11,3 @@ numeric_keyword_fields: - log.file.idxhi - log.file.idxlo - log.file.vol -assert: - hit_count: 270 diff --git a/packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml b/packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml index 5dce8b6e750..c595b7a8369 100644 --- a/packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml +++ b/packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml @@ -872,20 +872,14 @@ processors: field: teleport.audit.aws_region target_field: cloud.region ignore_missing: true - # This was failing due to `cloud.region` already existed - override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.aws_service target_field: cloud.service.name ignore_missing: true - # This was failing due to `cloud.service.name` already existed - override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.aws_host target_field: cloud.instance.id ignore_missing: true - # This was failing due to `cloud.instance.id` already existed - override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.aws_assumed_role target_field: teleport.audit.app.aws.assumed_role @@ -974,8 +968,6 @@ processors: field: teleport.audit.db_gcp_instance_id target_field: cloud.instance.id ignore_missing: true - # This was failing due to `cloud.instance.id` already existed - override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.db_roles target_field: teleport.audit.database.roles @@ -1415,8 +1407,6 @@ processors: field: teleport.audit.instance_id target_field: cloud.instance.id ignore_missing: true - # This was failing due to `cloud.instance.id` already existed - override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.exit_code target_field: process.exit_code @@ -1436,17 +1426,11 @@ processors: field: teleport.audit.account_id target_field: cloud.account.id ignore_missing: true - # This was failing due to `cloud.account.id` already existed - override: true # Should it be added an if condition? Should it be added a remove processor? - rename: field: teleport.audit.region target_field: cloud.region ignore_missing: true - ignore_failure: true # it could already exist this field - # in case it fails previous rename processor, remove the field (not defined in the package) - - remove: - field: teleport.audit.region - ignore_missing: true + ignore_failure: true - rename: field: teleport.audit.stdout target_field: teleport.audit.database.aws.ssm_run.stdout From 66de3721467bea267b924caa85822d49269295f5 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 20 Feb 2025 12:45:48 +0100 Subject: [PATCH 37/38] Remove teleport from subset of packages to test --- .buildkite/scripts/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh index 46f3190ce2b..a429a5c6a2c 100755 --- a/.buildkite/scripts/common.sh +++ b/.buildkite/scripts/common.sh @@ -757,7 +757,7 @@ teardown_test_package() { } list_all_directories() { - find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort |grep -E '^(box_events|claroty_ctd|crowdstrike|mimecast|sublime_security|teleport|ti_anomali)$' + find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort |grep -E '^(box_events|claroty_ctd|crowdstrike|mimecast|sublime_security|ti_anomali)$' } check_package() { From c481836dfe1b6d7a5d7ac9cdddbd440812e907b9 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 20 Feb 2025 15:56:44 +0100 Subject: [PATCH 38/38] Revert changes to test validation based on mappings --- .buildkite/pipeline.yml | 2 -- .buildkite/scripts/common.sh | 2 +- go.mod | 2 -- go.sum | 4 ++-- 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 8825ccd7bdd..29daa705014 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -30,8 +30,6 @@ env: ELASTIC_PACKAGE_DISABLE_ELASTIC_AGENT_WOLFI: "${ELASTIC_PACKAGE_DISABLE_ELASTIC_AGENT_WOLFI:-false}" # Disable checking for newer versions ELASTIC_PACKAGE_CHECK_UPDATE_DISABLED: "true" - # Select method to validate fields are documented - ELASTIC_PACKAGE_FIELD_VALIDATION_TEST_METHOD: "mappings" steps: - label: "Get reference from target branch" diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh index a429a5c6a2c..9bcad94f6c6 100755 --- a/.buildkite/scripts/common.sh +++ b/.buildkite/scripts/common.sh @@ -757,7 +757,7 @@ teardown_test_package() { } list_all_directories() { - find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort |grep -E '^(box_events|claroty_ctd|crowdstrike|mimecast|sublime_security|ti_anomali)$' + find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort } check_package() { diff --git a/go.mod b/go.mod index f36e19bd000..c57848481d7 100644 --- a/go.mod +++ b/go.mod @@ -231,5 +231,3 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) - -replace github.com/elastic/elastic-package => github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246 diff --git a/go.sum b/go.sum index a091d16b69a..02837f20f1e 100644 --- a/go.sum +++ b/go.sum @@ -125,6 +125,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0 h1:sx1lpZuTG5suJuvgix4FWQFCLFFbzkoOmPoHWYOPLCY= github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0/go.mod h1:2/30n+2QRzRzus4TPVUV1T3U/j8g2ItUgvP0pcpjLGk= +github.com/elastic/elastic-package v0.109.1 h1:ATZVgYOCI6L5Yr0NxjSX+MsuK4UvXkpu9tDkO4K2vgo= +github.com/elastic/elastic-package v0.109.1/go.mod h1:vmVYISfxBrl0ejjKbm/AG0drjrmevysVg2ZIP7yewLo= github.com/elastic/go-elasticsearch/v7 v7.17.10 h1:TCQ8i4PmIJuBunvBS6bwT2ybzVFxxUhhltAs3Gyu1yo= github.com/elastic/go-elasticsearch/v7 v7.17.10/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.4.2 h1:bPbGm8bUd8rxzSswFOqvQh1dAkKGkgAmrPxbUi+Y9+A= @@ -370,8 +372,6 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= -github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246 h1:EjWls8TjHBNk5E/caFYxZR7DkURTeDevDazWZgO1T7A= -github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246/go.mod h1:vmVYISfxBrl0ejjKbm/AG0drjrmevysVg2ZIP7yewLo= github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s= github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8= github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo=