Skip to content

Commit 4caeaa4

Browse files
mitodrummermitodrummer
authored
[D4C] kubernetes category added. trace_point now hook_point (#5836)
* kubernetes category added. trace_point now hook_point * changelog updated * dataview created for cloud_defend * ecs version updated * hook_point example updated * example update * static fields added to ingest processors * default policy updates, removed conditions that wont be available for v1 * default policy updates * doc fix
1 parent 1372bc9 commit 4caeaa4

File tree

11 files changed

+75
-17
lines changed

11 files changed

+75
-17
lines changed

packages/cloud_defend/_dev/build/build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
dependencies:
22
ecs:
3-
reference: git@8.6
3+
reference: git@8.7
44
import_mappings: true

packages/cloud_defend/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.0.3"
3+
changes:
4+
- description: Added kubernetes as a category. Renamed trace_point to hook_point
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/5836
27
- version: "1.0.2"
38
changes:
49
- description: Added mapping for cloud_defend.trace_point. Fixed host.name and host.hostname examples, and added cloud.instance.name to field list in README.

packages/cloud_defend/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,24 @@
11
---
22
description: Pipeline for cloud defend alerts
33
processors:
4+
- set:
5+
field: ecs.version
6+
value: '8.7.0'
7+
- set:
8+
field: agent.type
9+
value: 'cloud-defend'
410
- set:
511
field: event.ingested
612
value: '{{_ingest.timestamp}}'
13+
- set:
14+
field: event.module
15+
value: 'cloud_defend'
16+
- set:
17+
field: data_stream.dataset
18+
value: 'cloud_defend.alerts'
19+
- set:
20+
field: data_stream.type
21+
value: 'logs'
722
on_failure:
823
- set:
924
field: error.message

packages/cloud_defend/data_stream/alerts/fields/fields.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,9 @@
77
- name: cloud_defend.package_policy_revision
88
type: short
99
description: The revision of the cloud_defend.package_policy_id
10-
- name: cloud_defend.trace_point
10+
- name: cloud_defend.hook_point
1111
type: keyword
12-
description: The trace point used to trigger the event.
12+
description: An array of hook points used to source the events data.
1313
- name: orchestrator.resource.label
1414
type: flattened
1515
description: An object containing the labels for the resource being acted upon.

packages/cloud_defend/data_stream/file/elasticsearch/ingest_pipeline/default.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,24 @@
11
---
22
description: Pipeline for cloud_defend file telemetry
33
processors:
4+
- set:
5+
field: ecs.version
6+
value: '8.7.0'
7+
- set:
8+
field: agent.type
9+
value: 'cloud-defend'
410
- set:
511
field: event.ingested
612
value: '{{_ingest.timestamp}}'
13+
- set:
14+
field: event.module
15+
value: 'cloud_defend'
16+
- set:
17+
field: data_stream.dataset
18+
value: 'cloud_defend.file'
19+
- set:
20+
field: data_stream.type
21+
value: 'logs'
722
on_failure:
823
- set:
924
field: error.message

packages/cloud_defend/data_stream/file/fields/fields.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,9 @@
77
- name: cloud_defend.package_policy_revision
88
type: short
99
description: The revision of the cloud_defend.package_policy_id
10-
- name: cloud_defend.trace_point
10+
- name: cloud_defend.hook_point
1111
type: keyword
12-
description: The trace point used to trigger the event.
12+
description: An array of hook points used to source the events data.
1313
- name: orchestrator.resource.label
1414
type: flattened
1515
description: An object containing the labels for the resource being acted upon.

packages/cloud_defend/data_stream/process/elasticsearch/ingest_pipeline/default.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,24 @@
11
---
22
description: Pipeline for cloud_defend process telemetry
33
processors:
4+
- set:
5+
field: ecs.version
6+
value: '8.7.0'
7+
- set:
8+
field: agent.type
9+
value: 'cloud-defend'
410
- set:
511
field: event.ingested
612
value: '{{_ingest.timestamp}}'
13+
- set:
14+
field: event.module
15+
value: 'cloud_defend'
16+
- set:
17+
field: data_stream.dataset
18+
value: 'cloud_defend.process'
19+
- set:
20+
field: data_stream.type
21+
value: 'logs'
722
on_failure:
823
- set:
924
field: error.message

packages/cloud_defend/data_stream/process/fields/fields.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,9 @@
77
- name: cloud_defend.package_policy_revision
88
type: short
99
description: The revision of the cloud_defend.package_policy_id
10-
- name: cloud_defend.trace_point
10+
- name: cloud_defend.hook_point
1111
type: keyword
12-
description: The trace point used to trigger the event.
12+
description: An array of hook points used to source the events data.
1313
- name: orchestrator.resource.label
1414
type: flattened
1515
description: An object containing the labels for the resource being acted upon.

packages/cloud_defend/docs/README.md

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -123,9 +123,7 @@ In this example,
123123
| **operation** | The list of system operations to match on. Options include `fork` and `exec`.
124124
| **processExecutable** | A list of executables (full path included) to match on. e.g. /usr/bin/cat. Wildcard support is same as targetFilePath above.
125125
| **processName** | A list of process names (executable basename) to match on. e.g. 'bash', 'vi', 'cat' etc...
126-
| **processUserId** | A list of process user ids to match on. e.g. '0'.
127126
| **sessionLeaderInteractive** | If set to true, will only match on interactive sessions (i.e. sessions with a controlling TTY)
128-
| **sessionLeaderName** | A list of session leader executables basenames to match on. e.g. `bash, zsh, csh, cron etc`**
129127

130128
# Responses
131129

@@ -174,7 +172,7 @@ responses:
174172
| cloud_defend.matched_selectors | ['interactiveSessions'] |
175173
| cloud_defend.package_policy_id | '4c9cbba0-c812-11ed-a8dd-91ec403e4f03' |
176174
| cloud_defend.package_policy_revision | 2 |
177-
| cloud_defend.trace_point | ... |
175+
| cloud_defend.hook_point | ['tracepoint__sched_process_fork','tracepoint__sched_process_exec', 'kprobe__taskstats_exit'] |
178176
| [container.id](https://www.elastic.co/guide/en/ecs/current/ecs-container.html#field-container-id) | nginx_1
179177
| [container.image.name](https://www.elastic.co/guide/en/ecs/current/ecs-container.html#field-container-image-name) | nginx |
180178
| [container.image.tag](https://www.elastic.co/guide/en/ecs/current/ecs-container.html#field-container-image-tag) | latest |
@@ -295,7 +293,7 @@ responses:
295293
| cloud_defend.matched_selectors | ['binModifications'] |
296294
| cloud_defend.package_policy_id | 4c9cbba0-c812-11ed-a8dd-91ec403e4f03 |
297295
| cloud_defend.package_policy_revision | 2 |
298-
| cloud_defend.trace_point | One of: lsm__path_chmod, lsm__path_mknod, lsm__file_open, lsm__path_truncate, lsm__path_rename, lsm__path_link, lsm__path_unlink |
296+
| cloud_defend.hook_point | One of: lsm__path_chmod, lsm__path_mknod, lsm__file_open, lsm__path_truncate, lsm__path_rename, lsm__path_link, lsm__path_unlink |
299297
| [container.id](https://www.elastic.co/guide/en/ecs/current/ecs-container.html#field-container-id) | nginx_1
300298
| [container.image.name](https://www.elastic.co/guide/en/ecs/current/ecs-container.html#field-container-image-name) | nginx |
301299
| [container.image.tag](https://www.elastic.co/guide/en/ecs/current/ecs-container.html#field-container-image-tag) | latest |

packages/cloud_defend/kibana/index_pattern/cloud_defend-42ae0e4c-d963-4661-a507-16e45a793fc2.json

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{
2+
"attributes": {
3+
"description": "",
4+
"title": "logs-cloud_defend*",
5+
"timeFieldName": "@timestamp",
6+
"namespaces": "[*]"
7+
},
8+
"coreMigrationVersion": "8.8.0",
9+
"id": "cloud_defend-42ae0e4c-d963-4661-a507-16e45a793fc2",
10+
"migrationVersion": {
11+
"index-pattern": "8.0.0"
12+
},
13+
"type": "index-pattern"
14+
}

0 commit comments

Comments
 (0)