Skip to content

Cherry-pick #23041 to 7.x: [Filebeat] Use ingress/egress for crowdstrike and auditd modules#23049

Merged
andrewstucki merged 3 commits intoelastic:7.xfrom
andrewstucki:backport_23041_7.x
Dec 10, 2020
Merged

Cherry-pick #23041 to 7.x: [Filebeat] Use ingress/egress for crowdstrike and auditd modules#23049
andrewstucki merged 3 commits intoelastic:7.xfrom
andrewstucki:backport_23041_7.x

Conversation

@andrewstucki
Copy link
Copy Markdown

@andrewstucki andrewstucki commented Dec 10, 2020
edited by zube bot
Loading

Cherry-pick of PR #23041 to 7.x branch. Original message:

What does this PR do?

This changes the crowdstrike module to use ingress/egress and adds a bit of functionality into the auditd module to set network.direction by syscall. Since they're both modeling host-oriented data, updated both of them to use ingress/egress.

Interestingly enough, I took a look at some of the pipeline and there are a bunch of cases where we have conditionals that try and categorize syscalls by name, but we don't have any name resolution in the pipeline, so I don't think that they actually work normally. I can create an issue to add resolution based off of the syscall number.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

[Filebeat] Use ingress/egress for crowdstrike and auditd modules (ela…
35ba353 
…stic#23041)

* [Filebeat] Use ingress/egress for crowdstrike and auditd modules

* Add changelog entry

(cherry picked from commit 9c89eff)
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 10, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 10, 2020

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 10, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 10, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #23049 updated

  • Start Time: 2020-12-10T00:20:37.692+0000

  • Duration: 51 min 31 sec

Test stats 🧪

Test Results
Failed 0
Passed 5083
Skipped 576
Total 5659

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 5083
Skipped 576
Total 5659

@andrewstucki andrewstucki merged commit 3895e3a into elastic:7.x Dec 10, 2020
@andrewstucki andrewstucki deleted the backport_23041_7.x branch December 10, 2020 03:26
@zube zube bot removed the [zube]: Done label Mar 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

No one assigned

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewstucki @elasticmachine @andrewkroh