Skip to content

[Filebeat] Use ingress/egress for crowdstrike and auditd modules#23041

Merged
andrewstucki merged 3 commits intoelastic:masterfrom
andrewstucki:crowdstrike-auditd-ingress-egress
Dec 10, 2020
Merged

[Filebeat] Use ingress/egress for crowdstrike and auditd modules#23041
andrewstucki merged 3 commits intoelastic:masterfrom
andrewstucki:crowdstrike-auditd-ingress-egress

Conversation

@andrewstucki
Copy link
Copy Markdown

@andrewstucki andrewstucki commented Dec 9, 2020
edited
Loading

What does this PR do?

This changes the crowdstrike module to use ingress/egress and adds a bit of functionality into the auditd module to set network.direction by syscall. Since they're both modeling host-oriented data, updated both of them to use ingress/egress.

Interestingly enough, I took a look at some of the pipeline and there are a bunch of cases where we have conditionals that try and categorize syscalls by name, but we don't have any name resolution in the pipeline, so I don't think that they actually work normally. I can create an issue to add resolution based off of the syscall number.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@andrewstucki andrewstucki requested a review from a team December 9, 2020 19:42
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 9, 2020

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Dec 9, 2020
@andrewstucki andrewstucki mentioned this pull request Dec 9, 2020
Closed
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 9, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #23041 updated

  • Start Time: 2020-12-09T22:21:05.467+0000

  • Duration: 53 min 1 sec

Test stats 🧪

Test Results
Failed 0
Passed 5095
Skipped 570
Total 5665

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 5095
Skipped 570
Total 5665

@andrewstucki andrewstucki merged commit 9c89eff into elastic:master Dec 10, 2020
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request Dec 10, 2020
[Filebeat] Use ingress/egress for crowdstrike and auditd modules (ela…
35ba353 
…stic#23041)

* [Filebeat] Use ingress/egress for crowdstrike and auditd modules

* Add changelog entry

(cherry picked from commit 9c89eff)
@andrewstucki andrewstucki mentioned this pull request Dec 10, 2020
Merged
6 tasks
andrewstucki pushed a commit that referenced this pull request Dec 10, 2020
Cherry-pick #23041 to 7.x: [Filebeat] Use ingress/egress for crowdstr…
3895e3a 
…ike and auditd modules (#23049)

* [Filebeat] Use ingress/egress for crowdstrike and auditd modules (#23041)

* [Filebeat] Use ingress/egress for crowdstrike and auditd modules

* Add changelog entry

(cherry picked from commit 9c89eff)

* Fix changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leehinman leehinman leehinman approved these changes

Assignees

No one assigned

Labels

breaking change ecs enhancement Filebeat Filebeat v7.11.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewstucki @elasticmachine @leehinman