Skip to content

[trendmicro] Add ECS Categorization for Anti-malware Events #9407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 21, 2024
Merged

[trendmicro] Add ECS Categorization for Anti-malware Events #9407

merged 3 commits into from
Mar 21, 2024

Conversation

@mohitjha-elastic
Copy link
Collaborator

Type of change

  • Enhancement

What does this PR do?

Add ECS categorizations for anti-malware events.

Based on guidance from Trend Micro, we have categorized the below-mentioned event id's as malware alerts (i.e. event.category : malware, event.type: info, event.kind: alert)
IDs = [4000000, 4000001, 4000002, 4000003, 4000010, 4000011, 4000012, 4000013, 4000020, 4000030]

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

All changes

  • Change follows the contributing guidelines
  • Supported versions of the monitoring target are documented
  • Supported operating systems are documented (if applicable)
  • Integration or System tests exist
  • Documentation exists
  • Fields follow ECS and naming conventions
  • At least a manual test with ES / Kibana / Agent has been performed.
  • Required Kibana version set to: ^8.11.0

How to test this PR locally

Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/trendmicro directory.
Run the following command to run tests.
elastic-package test -v

Related issues

Automated Test

test-trend-micro_2.2.0.log
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner March 21, 2024 08:55
@jamiehynds jamiehynds added Team:Service-Integrations Label for the Observability Service Integrations team Integration:trendmicro Trend Micro Deep Security labels Mar 21, 2024
kcreddy
kcreddy reviewed Mar 21, 2024
View reviewed changes
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml Outdated
on_failure:
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
@kcreddy
Copy link
Contributor

kcreddy commented Mar 21, 2024

/test
@kcreddy kcreddy added the enhancement New feature or request label Mar 21, 2024
@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
@mohitjha-elastic
Resolve review comments.
6acfd74 
Removed 'fail-' from error.message.
kcreddy
kcreddy approved these changes Mar 21, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@kcreddy
Copy link
Contributor

kcreddy commented Mar 21, 2024

/test
@elasticmachine
Copy link

💚 Build Succeeded

History
@elastic-sonarqube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
100.0% 100.0% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube
@kcreddy kcreddy merged commit 0d706dd into elastic:main Mar 21, 2024
@elasticmachine
Copy link

Package trendmicro - 2.2.0 containing this change is available at https://epr.elastic.co/search?package=trendmicro
@narph narph added Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] and removed Team:Service-Integrations Label for the Observability Service Integrations team labels Apr 26, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@narph narph added the Crest Contributions from Crest developement team. label Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Crest Contributions from Crest developement team. enhancement New feature or request Integration:trendmicro Trend Micro Deep Security Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

5 participants

@mohitjha-elastic @kcreddy @elasticmachine @narph @jamiehynds