Skip to content

[fortinet_fortimanager] Add more ECS fields mappings #11237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 24, 2024
Merged

[fortinet_fortimanager] Add more ECS fields mappings #11237

merged 4 commits into from
Sep 24, 2024

Conversation

aleksmaus
Copy link
Contributor

@aleksmaus aleksmaus commented Sep 24, 2024
edited
Loading

Proposed commit message

Add more ECS fields mappings.

The following mappings were requested to be added in the original issue

srcip --> source.ip
srcname --> source.domain
srcport --> source.port
dstip --> destination.ip
dstname --> destination.domain
dstcountry --> destination.geo.country_name
unauthuser --> user.name
sentbyte --> source.bytes
rcvdbyte --> destination.bytes
osname --> os.name
direction --> network.direction
crlevel --> risk.static_level
crscore --> risk.static_score_norm
apprisk --> event.risk_score
appcat --> event.category

The following fields mapping changed during this PR review:

appcat --> rule.category
srcname --> source.address
dstname --> destination.address

The following fields are not mapped with this PR still, because it is unclear how to map them yet, based on the examples of logs that we received. For example:

It's not clear at the moment how to map apprisk to event.risk_score values.
[3] parsing field value failed: field "event.risk_score"'s Go type, string, does not match the expected field type: float (field value: elevated)

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

@aleksmaus aleksmaus added enhancement New feature or request Integration:fortinet_fortimanager Fortinet FortiManager Logs labels Sep 24, 2024
@aleksmaus aleksmaus requested a review from a team as a code owner September 24, 2024 14:28
@andrewkroh andrewkroh added the Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] label Sep 24, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@taylor-swanson
Copy link
Contributor

The appcat value from the actual logs doesn't quite match the expectations for ECS event.category

Even if you normalized those values into an array, the bigger issue is that event.category only has a limited set of allowed values. In this case, event.category nor event.risk_score are not good fits here. For reference, fortinet_fortigate moves appcat into rule.category.

@aleksmaus
Copy link
Contributor Author

or reference, fortinet_fortigate moves appcat into rule.category.

we could do the same for this integration

@aleksmaus
Copy link
Contributor Author

or reference, fortinet_fortigate moves appcat into rule.category.

we could do the same for this integration

or leave as is.

please cast your ballots

@taylor-swanson
Copy link
Contributor

I would say align with fortigate (as seen here).

@aleksmaus
Copy link
Contributor Author

I would say align with fortigate (as seen here).

image

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

taylor-swanson
taylor-swanson reviewed Sep 24, 2024
View reviewed changes
Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think srcname and dstname should move to source.address/destination.address, since looking at the example logs, we see instances of both an IP address and a hostname in there.

The *.address fields say this in ECS:

Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.
Then it should be duplicated to .ip or .domain, depending on which one it is.

I've used the convert processor (with type ip) to figure out if the value should end up in .ip or .domain.

I really wish a processor could this automatically for us...

Other changes LGTM.

packages/fortinet_fortimanager/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Comment on lines +985 to +988
on_failure:
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was about to say you can just add this handler down at the bottom of the pipeline and not have to add it to every processor that is expected to fail, but I see you are just following the style used in the rest pipeline (one that I don't agree with, but that's a separate issue).

No changes need to be made here.

@aleksmaus
Copy link
Contributor Author

I think srcname and dstname should move to source.address/destination.address, since looking at the example logs, we see instances of both an IP address and a hostname in there.

Updated

@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
92.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@aleksmaus aleksmaus merged commit a788bf9 into elastic:main Sep 24, 2024
5 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package fortinet_fortimanager - 2.13.0 containing this change is available at https://epr.elastic.co/search?package=fortinet_fortimanager

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@aleksmaus
[fortinet_fortimanager] Add more ECS fields mappings (elastic#11237)
e828505 
* [fortinet_fortimanager] Add more ECS fields mappings

* Update changelog with PR number

* Map appcat to rule.category

* Map srcname/dstname to source.address/destination.address instead
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@aleksmaus
[fortinet_fortimanager] Add more ECS fields mappings (elastic#11237)
2176e88 
* [fortinet_fortimanager] Add more ECS fields mappings

* Update changelog with PR number

* Map appcat to rule.category

* Map srcname/dstname to source.address/destination.address instead
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taylor-swanson taylor-swanson taylor-swanson approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request Integration:fortinet_fortimanager Fortinet FortiManager Logs Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aleksmaus @elasticmachine @taylor-swanson @andrewkroh