[Filebeat] Update Fortinet Ingest Pipeline#24816
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
306b257 to
fd6da1d
Compare
|
Still working this. Need a 2nd opinion on the 3rd change in the description. Make sure that people think thats the right choice. @ijokarumawak You opened the original issue, what do you think? Also all the documents have |
45de05f to
ce002a4
Compare
ijokarumawak
left a comment
There was a problem hiding this comment.
Hi @legoguy1000 . Thanks for preparing PR! I've looked at the change and found what I requested. So, I am +1 on that aspect. However, I found some not user friendly Kibana UI behavior in Security app. Please check my review comments.
|
@ijokarumawak did you have any concerns about or the |
|
@legoguy1000 I personally don't have any concern about that. I recommend to go ahead and let others review this PR, too. |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
9cb1c97 to
373622e
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
7eb85f3 to
84ac38b
Compare
e25e744 to
3e33f7e
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
3e33f7e to
9ddb914
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
9ddb914 to
043b0d5
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
3ddc7e0 to
3ad2b14
Compare
a2c1f04 to
eff72f8
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
eff72f8 to
1373276
Compare
|
/test |
P1llus
left a comment
There was a problem hiding this comment.
Small comment, the rest looks good!
* 22136: Update Fortinet Ingest Pipeline * Update Pipelines * Additional updates * Set virus/ips subtypes to event.kind: alert * update fields * Consolidate processors to script * Update event.outcome logic * replace hashmap * update event.outcome * cleanup * Added Changes for #25254 * regenerate data * update changelog * remove extra items in changelog (cherry picked from commit 890e473)
…arwin-arm64 * upstream/master: (295 commits) Update urllib to 1.26.5. (elastic#26380) Update golang.org/x/crypto (elastic#26448) [Filebeat] Update Fortinet Ingest Pipeline (elastic#24816) Move parsers outside of filestream input so others can use them as well (elastic#26541) [Filebeat] Fix `threatintel.indicator.url.full` field not populating (elastic#26508) [Filebeat] Add network direction processor to Zeek and Suricata modules (elastic#24620) Logging code cleanup related to Nomad auto-discovery (elastic#26498) [Metricbeat] Add Couchbase's Sync Gateway module (elastic#25599) Refactor add_cloud_metadata to handle ECS fields easier (elastic#26438) [Elastic Agent] Improper casting of int64 (elastic#26520) [Elastic Agent] Enable configuring monitoring namespace (elastic#26439) [Heartbeat] configure permissions for synthetics config (elastic#26393) Osquerybeat: set the raw index name to supress the timestamp suffix (elastic#26545) [Heartbeat] add screenshots config to synthetics (elastic#26455) [Elastic Agent] Use http2 to connect to Fleet Server. (elastic#26474) Remove all docs about Beats central management (elastic#26399) update data.json for gcp billing (elastic#26506) Skip x-pack metricbeat tests (elastic#26537) [Elastic Agent] Fix issue with FLEET_CA not being used with Fleet Server in container (elastic#26529) Add changelog entry for elastic#26224 (elastic#26531) ...
* 22136: Update Fortinet Ingest Pipeline * Update Pipelines * Additional updates * Set virus/ips subtypes to event.kind: alert * update fields * Consolidate processors to script * Update event.outcome logic * replace hashmap * update event.outcome * cleanup * Added Changes for #25254 * regenerate data * update changelog * remove extra items in changelog (cherry picked from commit 890e473) Co-authored-by: Alex Resnick <adr8292@gmail.com>
* master: (25 commits) fix: Force PLATFORMS environment variable when we build Elastic Agent dependencies on arm64 (elastic#26415) macos for metricbeat to run in the extended meta-stage (elastic#26573) Packaging: add arm7 platform in the main pipeline (elastic#26575) [Heartbeat] Skip flakey timer queue test (elastic#26592) Update to "read_pipeline" permission (elastic#26465) (elastic#26580) API keys do not reflect the need for read_pipeline (elastic#26466) (elastic#26582) Add Fleet agent.id to Agent monitoring data (elastic#26548) Add kinesis metricset (elastic#25989) Refactor of system/memory metricset (elastic#26334) Introduce httpcommon package in libbeat (add support for Proxy) (elastic#25219) [Filebeat] change multiline configuration in awss3 input to parsers (elastic#25873) docs: Hint for the error "Error extracting container id" (elastic#25824) [Docs] Fixed metricbeat redis exported field CPU descriptions (elastic#25846) (elastic#26496) Update urllib to 1.26.5. (elastic#26380) Update golang.org/x/crypto (elastic#26448) [Filebeat] Update Fortinet Ingest Pipeline (elastic#24816) Move parsers outside of filestream input so others can use them as well (elastic#26541) [Filebeat] Fix `threatintel.indicator.url.full` field not populating (elastic#26508) [Filebeat] Add network direction processor to Zeek and Suricata modules (elastic#24620) Logging code cleanup related to Nomad auto-discovery (elastic#26498) ...
What does this PR do?
Updates the Ingest pipeline for the Fortinet firewall module.
uri_parts,user_agent,community_idprocessorsobserver.serial_numberevent.kind: alertfor certain UTM eventsBREAKING CHANGE:
fortinet.firewall.eventtype->event.actionand instead setevent.actiontofortinet.firewall.actionfor the UTM events to match the other events.Why is it important?
Added additional log samples, updated certain fields, removed duplicate actions.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs