[SIEM] Update signals index ECS mapping to 1.6-dev, add endpoint alert fields#65740
Conversation
|
Pinging @elastic/endpoint-response (Team:Endpoint Response) |
|
@elasticmachine merge upstream |
|
Pinging @elastic/siem (Team:SIEM) |
0906b0a to
a6a09c8
Compare
| } | ||
| } | ||
| } | ||
| } No newline at end of file |
|
@elasticmachine merge upstream |
|
Tested by going to this directory: x-pack/plugins/siem/server/lib/detection_engine/scriptsAnd running: ./hard_reset.sh
./post_rule.sh
./post_rule.sh ./rules/queries/query_with_everything.jsonAnd then looking at each rule run and ensuring that the expected histograms and data looks correct. |
FrankHassanabad
left a comment
There was a problem hiding this comment.
👍 Thanks for the ECS upgrade!
|
@elasticmachine merge upstream |
| }, | ||
| "dll": { | ||
| "properties": { | ||
| "code_signature": { |
There was a problem hiding this comment.
@marshallmain Are we going to address splitting these (trusted/untrusted) in a later PR?
There was a problem hiding this comment.
I'm hoping to address it with the ECS team. I think multiple code signatures is something we should address at the ECS level rather than making our own custom changes to it.
There was a problem hiding this comment.
Thinking about it more, addressing at the ECS level may take some time. I'd like to merge this so we can start and then merge more changes in future PRs.
|
@elasticmachine merge upstream |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
|
@marshallmain -- you should be good to backport to |
…t fields (elastic#65740) * update ECS schema to 1.6-dev, add endpoint alert fields * use updated endpoint team schemas * add newline * remove extra options Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
…t fields (#65740) (#66789) * update ECS schema to 1.6-dev, add endpoint alert fields * use updated endpoint team schemas * add newline * remove extra options Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
This is a stopgap change to start integrating the SIEM signals schema with the endpoint alert schema. This schema was built using the ECS tooling and the custom yaml schemas found at https://github.com/elastic/endpoint-app-team/tree/master/custom_schemas. When the ECS tooling upgrades are finished (elastic/ecs#837 and elastic/ecs#820) we can add yml files for the signal fields and generate the entire mapping with the ECS tooling.
At some point we should move the yml files into the kibana in the SIEM folder, but when we do we should remove them from the endpoint-app-team repo so we don't have multiple copies that could be out of sync.
Checklist
Delete any items that are not applicable to this PR.
For maintainers