Skip to content

[Meta] Expand support for populating event.ingested #20073

Closed
#20386
Closed
[Meta] Expand support for populating event.ingested#20073
#20386
Labels
enhancementmeta
@spong

Description

@spong
spong
opened on Jul 20, 2020

Within Elastic Security we've recently exposed the ability for users to specify the timestamp field used when a Detection Rule runs in effort to minimize any gaps in alerts from delayed events. The ECS field most useful here would be event.ingested (elastic/ecs#453, elastic/ecs#582), and so ensuring that this field is populated whenever possible would greatly benefit any downstream use-cases where the system must determine if an event is stale or has been delayed.

Currently it looks like only two modules are setting event.ingested (thanks @leehinman!):

x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml:    field: event.ingested
x-pack/filebeat/module/gsuite/ingest/common.yml:      field: event.ingested

In discussions it looks like we can add the following to relevant pipelines:

- set:
    field: event.ingested
    value: '{{_ingest.timestamp}}'

And also update the test modules here:

    # Remove event.ingested from testing, as it will never be the same.
    if obj["event.dataset"] == "microsoft.defender_atp":
        delete_key(obj, "event.ingested")
        delete_key(obj, "@timestamp")

    if obj["event.module"] == "gsuite":
        delete_key(obj, "event.ingested")

Let's use this as a meta issue for tracking the support of event.ingested across modules -- feel free to update this description as things progress.

Currently supported:

  • Filebeat
    • Microsoft Defender
    • GSuite

Yet to be supported:

  • TBD

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementmeta

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions