adriansr / nwdevice2filebeat Goto Github PK

View Code? Open in Web Editor NEW

2.0 2.0 3.0 7.18 MB

License: Other

Go 64.33% Ragel 1.44% JavaScript 25.45% Smarty 4.51% Python 2.50% Shell 1.77%

nwdevice2filebeat's People

Contributors

Stargazers

Watchers

Forkers

andrewstucki efd6 getkub

nwdevice2filebeat's Issues

ECS: file.extension must not include leading dot

ECS expects extensions without the leading dot.

This can be dealt with using a custom setter to strip the dot at the ECS enrichment phase.

Also review if an extension extracted from an URL using the URL($EXT, <field>) action needs the dot or not.

barracuda missing ecs field definitions

missing:

event.original
observer.type
observer.vendor
related.ip

f5 missing ecs field definitions

missing:

event.original
observer.ingress
observer.egress
related.ip

Don't use ECS 'geo' fields at root of event

Per ECS, the geo fields are not meant to be used at the root of the event.

Note also that the geo fields are not expected to be used directly at the root of the events.

I think the generated Fleet integrations should not use the external: ecs feature to import these fields geo fields. The package can use their own field definition (to avoid running into errors related to elastic/elastic-package#750) and/or rename the fields to not conflict with ECS guidance.

https://github.com/elastic/integrations/blob/1e4c1e6d65e2851322c1f4ccae483ef06099b9bb/packages/barracuda/data_stream/spamfirewall/fields/ecs.yml#L87-L94

Sophos UTM Missing Fields

Missing ECS fields:

event.original
observer.type
observer.vendor
related.ip
tags

Missing other fields (injected by agent):

agent.hostname
elastic_agent.id
elastic_agent.snapshot
elastic_agent.version
input.type
log.flags
log.source.address

ECS MAC address fields should be uppercase, dash-separated

ECS specifies to use this format for MAC addresses:

The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

The to_mac function could apply the formatting. This would cover fixing the ECS fields an also make the rsa.* fields consistently formatted.

Update packages to new spec

config_templates -> policy_templates
dataset dir -> data_stream dir

Citrix missing fields

Missing ECS fields:

event.original
observer.type
observer.vendor
related.ip
tags

Missing other fields (injected by agent):

agent.hostname
elastic_agent.id
elastic_agent.snapshot
elastic_agent.version
input.type
log.flags
log.source.address

Missing Symantec Endpoint Protection Fields

Missing ECS fields:

event.original
observer.type
observer.vendor
related.ip
tags

Missing rsa fields:

rsa.time.duration_time

Missing other fields (injected by agent):

agent.hostname
elastic_agent.id
elastic_agent.snapshot
elastic_agent.version
input.type
log.flags
log.source.address

juniper/netscreen missing ecs field definitions

missing

observer.ingress
observer.egress

proofpoint missing ecs field definitions

missing:

event.original
observer.type
observer.vendor
related.ip

ip_proto field should be mapped to ECS network.transport

Some parsers (imperva) make use of the ip_proto field and it currently doesn't map to ECS. The usage of this field by different parsers should be studied and mapped to the appropriate ECS field if possible (network.transport).

adriansr / nwdevice2filebeat Goto Github PK

nwdevice2filebeat's People

Contributors

Stargazers

Watchers

Forkers

nwdevice2filebeat's Issues

Recommend Projects

Recommend Topics

Recommend Org