Skip to content

[cylance] Format host.mac per ECS #3368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 18, 2022
Merged

[cylance] Format host.mac per ECS #3368

merged 2 commits into from
May 18, 2022

Conversation

@andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented May 17, 2022
edited
Loading

What does this PR do?

Format the host.mac field as per ECS (https://www.elastic.co/guide/en/ecs/current/ecs-client.html#field-client-mac).

The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

The value also needed to be converted to an array.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
@andrewkroh
cylance - Format host.mac per ECS
d3cb874 
Format host.mac as per ECS. It needed to be uppercased, dash separated, and converted to an array.
@andrewkroh andrewkroh marked this pull request as ready for review May 17, 2022 13:19
@andrewkroh andrewkroh requested a review from a team as a code owner May 17, 2022 13:19
@elasticmachine
Copy link

elasticmachine commented May 17, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
@andrewkroh andrewkroh mentioned this pull request May 17, 2022
Merged
4 tasks
@elasticmachine
Copy link

elasticmachine commented May 17, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-05-18T13:22:27.382+0000

  • Duration: 16 min 13 sec

Test stats 🧪

Test Results
Failed 0
Passed 8
Skipped 0
Total 8

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.
@elasticmachine
Copy link

elasticmachine commented May 17, 2022
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (1/1) 💚 3.589
Classes 100.0% (1/1) 💚 3.589
Methods 91.667% (11/12) 👍 3.378
Lines 92.857% (65/70) 👍 3.84
Conditionals 100.0% (0/0) 💚
efd6
efd6 approved these changes May 17, 2022
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mod comment.
packages/cylance/data_stream/protect/_dev/test/pipeline/test-rsa2elk-output.json-expected.json
"alias_host": [
"ntium4450.www5.localdomain"
],
"eth_host": "01:00:5e:ee:e8:77"
Copy link
Contributor

@efd6 efd6 May 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be changed as well?
Copy link
Member Author

@andrewkroh andrewkroh May 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point. It would probably be best to change this rsa.eth_host field and all other MACs in the rsa.* namespace at once so the format is consistent for that field.

I opened adriansr/nwdevice2filebeat#21 which would make the changes I did for the ECS fields obsolete, but I expect we'll replace all of the rsa2elk integrations before we modify the generator and update all of the generated integrations again.
@andrewkroh andrewkroh merged commit aaf274c into elastic:main May 18, 2022
This was referenced May 22, 2022
Closed
Merged
andrewkroh added a commit that referenced this pull request Jun 28, 2022
@andrewkroh
[security-external-integrations packages] Update to ECS 8.3 (#3353)
1bcd21c 
This updates the ECS version used in all non-deprecated packages owned by elastic/security-external-integrations. These packages required fixes in order to comply with the `pattern` added to ECS to validate MAC addresses. - cef - #3566 - crowdstrike - #3302 - cylance.protect - #3368 - fortinet.fortimanager - #3401 - iptables.log - #3358 - microsoft_dhcp - #3300 - pfsense - #3303 - snort - #3301 - sonicwall.firewall - #3360 - sophos.utm - #3370 NOTE: The following packages were not updated for 8.2.0. I didn't catch anything in 8.1 or 8.2 that needed changed. - auth0 - 1.12.0 - carbon_black_cloud - 8.0.0 - cisco_ise - 8.0.0 - cisco_meraki - 8.0.0 - hid_bravura_monitor - 1.12.0 - modsecurity - 1.12.0 - mysql_enterprise - 8.0.0 - netskope - 8.0.0 - oracle - 8.0.0 - symantec_endpoint - 1.12.0 - ti_recordedfuture - 8.0 [git-generate] go run github.com/andrewkroh/go-examples/ecs-update@6efa1ecb3871 \ --ecs-version=8.3.0 \ -ecs-git-ref=v8.3.0 \ --pr=3353 \ --owner=elastic/security-external-integrations \ packages/*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Integration:cylance CylanceProtect Logs (Deprecated)

3 participants

@andrewkroh @elasticmachine @efd6